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ABSTRACT 


This research designed and implemented an intelligent tutoring system for teaching 
computer intrusion detection to potential or current system administrators of computer 
networks. The Intrusion-Detection Tutoring System (IDTS) is an intelligent tutoring 
system built using Quintus Prolog and METUTOR general-purpose tutoring software 
written by Professor Rowe. The operating environment of the IDTS is a virtual one, based 
on UNIX; it uses some common UNIX commands and file hierarchy. After both student 
and tutor analyze a static audit file to find suspicious and or malicious behavior, the student 
tries to fix the damage, and the computer critiques the student’s actions using means-ends 
analysis. Using its nineteen behavior rules, IDTS can classify eleven different types of 
intruder behavior known to exploit system vulnerabilities, and can tutor the student how to 
detect this behavior and how to efficiently return the system to a secure state after the 
intrusion has occurred. Four different audit files of varying length were tested with IDTS. 
IDTS correctly identified most intruder behavior in both manually and computer generated 
audit files, and showed it could correctly tutor on that behavior. 
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1. INTRODUCTION 


Computer security of software and data is a difficult and never-ending problem 
requiring both manual and automated controls. A key part of the manual controls is the 
system administrator who is responsible for not only ensuring that the system is fully 
operational but also that it is secure. This person, in addition to learning day-to-day 
operation of the computer network, will have to learn about computer security either by 
reading about it or through trial by fire. This trial-by-fire method of learning about security 
can be potentially damaging to the company financially or to national security in the case 
of the military unit because security problems can be infrequent, although very damaging 
when they do occur. There has to be or should be a better way to learn about system 
administrator duties particularly security issues. 

Formal computer security courses are available, but can be time consuming and cost 
prohibitive for some smaller organizations. What would be helpful is an automated 
intmsion-detection tutoring system that could teach the user about system security duties 
and how to identify an intruder from an audit trail. This type of intrusion-detection tutoring 
system would allow the user to learn about intruder behavior at their own convenience and 
pace, and possibly expedite the learning process. This thesis presents the Intrusion- 
Detection Tutorial System (IDTS), which is an automated intelligent tutoring system 
focussing on intrusion detection. 

IDTS, described herein, is built using Quintus Prolog and mns on top of the 
metutorSO application, wntten by Professor Rowe, which uses intrusion-detection software 
and means-ends analysis to actually perform the tutoring. IDTS was specifically designed 
to tutor potential or current computer system administrators in the area of intrusion 
detection. The operating system environment of IDTS is a virtual one, based on UNIX; it 
uses some common UNIX commands and its file hierarchy. After both student and tutor 
analyze a static audit file to find suspicious and or malicious behavior, the student tries to 
fix the damage, and the computer critiques the student’s actions using means-ends analysis. 
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The contents of this thesis are as follows. Chapter 11 will present related work in 
intelligent tutoring systems and means-ends analysis. Chapter III will discuss intrusion 
detection and automated systems to detect intruders, specifically the Next-Generation 
Intrusion Detection Expert System (NIDES) developed at SRI International, Menlo Park, 
CA. Chapter IV will introduce IDTS and take an in-depth look at its actual components. 
It will present the virtual computer operating environment of IDTS, specifically the file 
hierarchy, the audit file, the UNIX commands used, and the assumptions and decisions 
made during its design. It will also discuss the relationships between each of the 
components as well as additional required programs written by others. Chapter V will 
discuss the performance of the IDTS, specifically behaviors detected, space requirements, 
and CPU runtime. Chapter VI will summarize aU of the above, and will discuss the 
weaknesses of the IDTS. It will also make recommendations for improving the existing 
IDTS application. Finally, two appendices have been included. Appendix A contains the 
source code for IDTS, and Appendix B contains script runs of IDTS, testing four separate 
input audit files. 
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11. INTRODUCTION TO MEANS-ENDS ANALYSIS AND 
INTELLIGENT TUTORING SYSTEMS 


A. MEANS-ENDS ANALYSIS 

Means-ends analysis attempts to solve a a search problem through abstraction by 
taking the difference between the current state and the goal state and applying a 
recommended operator. In order to apply a recommended operator, some preconditions 
must be met. The results of applying an operator are postconditions, which are added to 
the state. It is also possible that by applying an operator, conditions may be deleted from 
the state. Means-ends analysis is a recursive search; therefore, it will continue to apply 
operators, check preconditions, add postconditions, and delete postconditions, until the 
difference between the state and the goal is the empty set. In an implementation of means- 
ends analysis, the recommended operators are stored as recommended facts, the 
preconditions as precondition facts, the postconditions as addpostcondition facts, and the 
deleted postconditions as deletepostcondition facts [Ref. 1]. For an in-depth explanation 
of means-ends analysis, see [Ref. 1, pp. 263 - 281]. 

B. INTELLIGENT TUTORING SYSTEMS 

Intelligent tutoring systems offer an attractive and efficient way to learn, since the 
emphasis is on learning-by-doing: converting factual knowledge into experiential 
knowledge [Ref. 2, p. 1]. They provide an interactive simulation for the student to learn 
procedural skills, and a friendly environment in which the student can back-up and redo 
actions. There are also similar intelligent tutoring systems that provide a shell for “role- 
performance” skills that are the same as procedural skills [Ref. 3]. Both “role- 
performance” and procedural skills are type of skills the student learns by completing a 
series of discrete actions. An example of a procedural skills intelligent tutoring system is 
PEXIE, described in [Ref. 4]. It is an expert system shell for teaching rule-based systems. 
It has features for knowledge representation and for defining inference rules in the domain. 
There are also tutoring strategy rules present in PIXIE. Regardless of the implementation. 
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all intelligent tutoring systems will require a large predefined task structures library used 
to store the components of the tutoring strategies to be designed by the teacher or expert. 

IDTS uses the intelligent tutoring system METUTOR to tutor the student in 
intrusion detection. METUTOR, like PIXIE, is a procedural skills tutoring system and uses 
mean-ends analysis to tutor the student using the recommended operator predicates 
described above. A procedural intelHgent-tutoring system, like METUTOR, is suited to 
intrusion detection because the task of finding intruders and correcting the damage they 
cause is procedural in nature. 
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in. AN INTRODUCTION TO INTRUSION DETECTION 


Today it is not uncommon to pick up a newspaper or magazine and read that 
someone has broken into the computer system of a major company or university. The 
reasons why someone breaks into a computer system are numerous. Some do it just for the 
mere thrill of it, while others do it to cause problems within the computer system like 
inserting a virus. More and more intruders, however, are doing it for monetary gain. 
“Cybercrime” is on the rise, and current laws do not apply well at all to computer crimes 
[Ref. 5]. 

According to Lunt in [Ref. 6],“timely detection of unauthorized intruders into 
computers and computer networks is a problem of increasing concern.” Regardless of the 
reason for computer intrusion, detecting this intruder behavior, whether it is an external 
penetration or an insider attack, should be of the utmost importance to any system 
administrator. There are several software intrusion-detection tools available to a system 
administrator as well as hardware tools; both types of tools require analysis of audit trail 
information as stated in [Ref. 7]. 

A. INTRUSION-DETECTION SOFTWARE TOOLS 

1. Expert Systems 

In an intrusion-detection expert system, there are a set of rules based on the 
“expert’s” knowledge of the intruder’s behavior used to analyze the contents of the audit 
trail. If behavior exists in the audit trail matching the any of the rules, then some alarm is 
triggered. In addition to these rules based on past intrusions, known as system 
vulnerabilities, there are also rules corresponding to anomalous behavior. User profiles are 
maintained on legitimate users on the system, and if there is any deviation from their 
established pattern, due to an intruder using the account, then it is considered an anomalous 
detection [Ref. 9]. A well-known intrusion-detection expert systems is described in the 
following section. 
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2. Next-Generation Intrusion Detection Expert System (NIDES) 

NIDES is a real-time intrusion-detection expert system developed at SRI 
International, Menlo Park, CA, and it provides a good example of a class of similar 
systems. Its predecessor, Intrusion-Detection Expert System (IDES), has been the basis for 
most intrusion detection research to date, and it forms the conceptual basis for several other 
intrusion-detection software tools [Ref. 7]. NIDES is system independent, and is able to 
process the audit trail information from a target system. It uses expert-system rules, 
modeled for different types of intruder behavior, to detect intruders regardless if they are 
external penetrators, internal penetrators, or misfeasors. When intruder behavior is detected 
based on these rules, an alarm is raised. For the masquerader intruders, NIDES maintains 
statistical profiles of past user behavior. If the user’s activities vary from the established 
behavior pattern, referred to as an anomalous detection, then NIDES also sounds an alarm 
[Ref. 6]. 

B. PROBLEMS IN INTRUSION DETECTION 
1. Audit Trail Overhead and Reduction 

Since IDTS is based on UNIX, we will discuss its auditing facilities. Depending on 
the version of UNDC used, either Berkeley or System V, all will maintain log files. These 
log files form the basis of UNIX s auditing system. A determined system administrator 
may find unauthorized and or suspicious behavior by reviewing these log files. All 
versions of UNIX maintain the following log files [Ref. 8, p. 125]: 

•usr/adm/lastlog Logs each user’s most recent login time 
•etc/utmp Logs a record each time a user logs in. 

•/usr/adm/wtmp Logs a record each time a user logs in or logs out. 
•/usr/adm/acct Logs every command run by every user. 

Depending on the number of users, the information gathered in these four fUes can 
be an enormous amount of information for a system administrator to wade through. In 
[Ref. 6], Lunt says that the far too much information is collected to be useful to determine 
if intruders are present, and that information that could be used in find intruders is not 
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collected. Reducing the amount of audit trail information and deciding which information 
to keep is an on-going research problem in intrusion detection. 

2. Behavior Classification 

A big problem with automated intrusion-detection systems is that they may 
incorrectly classify user behavior. There are “false negatives” when an intruder is 
classified as a legitimate user, and “false positives” when a user is mistakenly called an 
intruder. 


3. Intrusion Detection Training 

Although automated intrusion-detection systems, like NIDES, make a system 
administrator’s life easier, it is still up to them to make the final call whether suspicious 
behavior in an audit file belongs to an intruder. This is especially true in NIDES, since 
when a user’s profile is first being trained there are several false positive alerts. In these 
cases, the system administrator must intervene and reset the intrusion-detection system. 
This is one of the reasons NIDES was not used. Regardless if an automated intrusion- 
detection tool is used, the system administrator must be knowledgable in intrusion 
detection and know what to do if an intrusion has occurred. Cleaning-up after an intruder 
attack is something an automated system will not teach a system administrator. 

The rules in most intrusion-detection systems, like in NIDES, are modeled for real¬ 
time detection, and do not teach any basic system administrator skills such as storing 
backup tapes once they are done using them. What is needed is a tutor to teach an 
administrator not only how to detect intruder behavior, but what to do after an intruder has 
penetrated their system and about basic system administrator duties. IDTS is capable of 
both teaching the student how to detect intruder behavior and how to fix the damage caused 
by the intruder. Also with IDTS, there are rules that focus on basic system administrator 
skills which are well-documented in system administrator books and reports. IDTS is 
described in the following chapter. 
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IV. THE INTRUSION-DETECTION TUTORING SYSTEM (IDTS) 


IDTS is an intelligent tutoring system written in Quintus Prolog. It runs on top of 
the metutorSO application, written by Professor Rowe, which provides means-end analysis 
of student actions and general-purpose rules for tutoring. It can be run in any operating 
system environment which has a Quintus Prolog compiler installed. 

A. OPERATION OF IDTS 

Upon executing IDTS, the user is shown an audit file and the mail messages 
received by root for a virtual computer system. It is up to the user to choose which actions 
to perform based on the audit file contents. The tutoring system will know the best 
recommended way to approach the intruder behavior present in the audit trail and prevent 
it from occumng again. If the user chooses an inappropriate action, the tutor will notify the 
user that a more appropriate action exists. If the chosen action is appropriate, but there is 
a more important action to perform, the tutor will give a hint to the user. The tutor will only 
end the lesson when the user has corrected any and all security problems present in the audit 
file, although the user can quit before completing the tutorial. The details of how IDTS 
accomplishes the tutoring and its components will be explained later in this chapter; 
however, before the actual components of IDTS can be understood, the virtual environment 
in which it operates must be explained. 

B. THE VIRTUAL ENVIRONMENT OF IDTS 

The virtual computer environment modeled for this tutoring system is based on the 
UNIX operating system. It was chosen due to its known security flaws and its widespread 
use, especially in the academic community. Although commands found in the audit trail 
are UNIX commands, several liberties and assumptions about them were made to 
accommodate the tutoring system. The goal of this tutor is not to make the user an expert 
on UNIX, but to make them aware of the types of behaviors that hard-core hackers and even 
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casual hackers use to disrupt, corrupt, or abuse time on a given system. Some familiarity 
with UNIX, however, would be beneficial to the user, but is not required. 

1. File Hierarchy 

The files used in IDTS are virtual files, that is, they do not exist. By a virtual file 
what is meant is the file has a name, size, directory in which it resides, time it was last 
modified, permissions, type, and owner, but there is no actual content to the file. 

a. System Files 

As in any UNIX system, we have virtual system files like in a typical UNIX 
environment. These system files are owned by the system administrator who will be called 
root. For simplicity sake, only a few of the major system files that are known to most users 
have been used. 

b. User Files 

It is important that our virtual world include the most tempting system files 
like “passwd” and those files located in the “bin” directory belonging to root, but user files 
are also present for a more realistic environment. The files are stored just as they would be 
in a UNIX environment. Each user has a subdirectory under root’s directory named 
“users.” Each user can then create and own as many files and subdirectories as they desire. 
Figure 1 shows an example of what a file directory tree in this modeled environment might 
look like. 


c. Operations on Files 

Like the files themselves, operations on the files are virtual. If the audit file 
were to show that a user edited a file, the only parts of the file description which would 
change would be the file’s size and last time modified. When a file is created or deleted, a 
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new file description is created and placed in the database or the file information is removed 
from the database respectively. 

_ / (root) _ 

bin etc users tmp lib 


adams brown doe smith 


graphics personal goodies courses 

I 

CS3700 

Figure 1: Example of Directory Tree 


2. Audit File 

The pseudo-UNIX operating system audit trail in the virtual computer system of IDTS 
is not as sophisticated as a true UNIX operating system. There are only five pieces of 
information stored in each record of the audit file: user name, time, current directory, UNIX 
command issued, and the result of issuing the particular UNIX command. Figure 2 is an 
example listing of the audit file. 

This file is a simplified consolidation of the four log files included a UNIX computer 
system. To assist the user, extra information not available in a true UNIX system is also in the 
audit file: the arguments of commands issued and the directory in which they were issued 
[Ref. 8, p. 130]. Additionally, the result of the command executed is given: if the command 
is unsuccessfully executed, this is “fail;” if a file is created or modified, this is the size of the 
resulting file in bytes; if a mail message is sent, this is the message itself; otherwise, this is 
“ok.” 
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Name 

Time 

Path 

Command 

Result 

brown 

1030 

none 

login brown 

fail 

brown 

1031 

none 

login brown 

fail 

brown 

1032 

none 

login brown 

fail 

brown 

1033 

none 

mail root 

bad(password,brown) 

doe 

8982 

none 

login doe 

ok 

doe 

9315 

doe 

emacs bigpaper 

29947 

doe 

9335 

doe 

emacs csproject 

1024 

doe 

9352 

doe 

Is 

ok 

doe 

9360 

doe 

emacs csproject 

4096 

doe 

9373 

doe 

mail root 

bad(ls,bin) 

doe 

9375 

doe 

mail root 

bad(doefile,doe) 

doe 

9379 

doe 

logout 

ok 

jones 

910 

jones 

su 

fail 

jones 

910 

none 

login jones 

ok 

jones 

911 

jones 

su 

fail 

jones 

912 

jones 

su 

fail 

jones 

920 

jones 

su 

ok 

jones 

921 

root 

cd --farmer 

ok 

smith 

859 

none 

login smith 

ok 

smith 

900 

smith 

cd etc 

ok 

smith 

901 

etc 

cp passwd -smith 

ok 

smith 

902 

etc 

logout 

ok 


Figure 2: Example Audit File Listing 


a. Concept of Time 

Time (t) is represented as an increasing integer value starting at the value 

one (t=l). 

3. UNIX Commands Recognized by IDTS 
a. Logins 

The login command as it appears in an IDTS audit file can be seen in Figure 
2 as login <username>.” For simplicity, it is assumed that a user can login legitimately 
only once in the IDTS virtual UNIX environment. This restriction assists with determining 
if a user s password has been compromised when a user is logged in twice and there is no 
logout between the two login times. 



b. Su Command 

The su or super-user command allows a user to shut down the system, 
terminate any process, create new accounts, change any account’s password, or read, write, 
or delete any file on the entire system regardless of its permissions [Ref. 10, p. 35]. An 
intruder will either try to login directly as the super-user root, or simply attempt to execute 
the su command from within another user account. If an intmder is successful at becoming 
the super-user, the consequences could be grave. 

In IDTS it is assumed that root is the only user who should know the root 
password to execute the su command successfully; therefore, if the su command is 
successfully executed by a user other than root, then the root password has been 
compromised. This assumption is an unreasonable restriction for root in a tme UNIX 
operating environment, since the user who is root would not be able to execute this 
command in any directory other than their own. But this restriction teaches the user that an 
intmder will try everything in their power to become root 

c. File Commands 

There are three types of file commands modeled in IDTS: copying, editing/ 
creating, and deleting files. In the audit file the command used for copying a file is the 
UNIX cp command which takes two arguments, the file being copied and the location to 
which it will be copied. The editing/creating a file command is the UNIX emacs command 
which takes one argument, the file to be edited or created. The command used to delete a 
file is the UNIX rm command which takes one argument, the file to be deleted. 

Two assumptions have been made in the area of file manipulation for IDTS: 
a user must be located in the same directory of the file they wish to manipulate, and the only 
editor available in IDTS’s virtual UNIX operating environment is emacs. 

C. PROGRAM OVERVIEW 

IDTS code consists of one main program and eight primary submodules. Appendix 
A contains the source code for these modules. Three of the eight submodules for this tutor 
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were written by Professor Rowe. These three modules are metutorSO, megraphSO, and 
filetree. The last two modules provide an XWindows graphical user interface. 

1. The Tutoring System Design 

The tutor program requires six modules: intruder, metutorSO, rules, operators, files, 
and a test auditfile. Figure 3 shows the relationship between all IDTS modules. 


Command Flow 
Data Flow 




Graphics Modules 

Figure 3: Relationships Between IDTS Modules 
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The intruder module is the main program, and it initializes the system and passes 
the start_state and goal of the tutoring system to the metutorSO module which determines 
how to tutor the user. The rules module contains all of the rules used to detect intruder 
behavior based upon the auditfile contents. The operators module holds all possible 
student operators/actions in the form of Prolog facts for recommended, precondition, 
addpostcondition, and deletepostcondition conditions. These four predicates are used by 
the metutorSO module to tutor the student. 

The audifile contains audit facts that are either generated by the threat modeling 
program developed by LT Christopher Roberts described in [Ref. 11], or are manually 
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written. To avoid unnecessary problems for the student, this file is a static file, unlike the 
real world where the audit trail is dynamic. Otherwise, for example, right at the moment 
the user has selected an action to get rid of a certain behavior, another audit trail fact could 
add another behavior to the state which needs to be removed. The, files file is comprised of 
file facts which contain the initial virtual file hierarchy and insecure_password facts 
which tell the tutor the users who have insecure passwords. The file facts are dynamic, 
and may be created, modified, or deleted based on the actions in the auditfile. 

D. DATA STRUCTURES 

1. File Facts 

a. System Files 

The data structure for files in the virtual computer system are in the form of 
a seven argument predicate called file. The following is an example of the file predicate: 

file(<filename>,<directory>,<owner>,<size>,<type>,<protection>,<time>), 

where 

<filename> is any acceptable UNIX filename; 

<directory> is any acceptable UNIX directory; 

<owner> is the name of a user on the system and owner of this file; 

<size> is an integer and the size of the file in bytes; 

< type> is the type of the file, either executable or text; 

<protection> are the acceptable UNIX permissions for the file; 
and <time> is the time the file was last modified by the <owner>. 

The seven arguments are the typical information one might see as a result of 
using the Is command in a UNIX environment or dir in a DOS environment. 

b. Derived Files 

There are three different types of derived file facts: deleted_dir, 
deleted_file, and modified_file facts. They are derived by means of the checkfiles 
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subroutine in the intruder module which loops through all of the audit file facts and applies 
any deletions of files and or directories and any modifications to the existing system files. 
Their arguments are the same as those of the regular system file facts. 

2. Audit File Facts 

a. Audit Facts 

The only data structure stored in the auditfile is the audit fact. The form of 
these facts is as follows: 

audit(<user>,<time>,<directory>,<command>, <result>). 

where 

<user> is the name of a user in the system; 

<time> is the time the <user> executed the particular <command>; 

<directory> is the name of the current directory the <user> is located in; 

<command> is any acceptable UNIX command; 
and <result> is the result of executing the particular <command>, either “ok,” “fail,” 

“bad(<filename>,<directory>),” or an integer indicating the new size of the file named in 
the <command>. 

b. Behavior Facts 

The four and five argument behavior facts are derived from the audit facts 
by applying the behavior rules in the rules module. The four argument behavior facts are 
of the form: 

behavior(<intruder>,<crime>,<start>,<end>). 

where 

<intruder> is a string and the name of the user in the system suspected of the <crime>; 
<crime> is a string representing the type of suspicious or malicious behavior the 
<intruder> is accused of; 

<start> is an integer and the time the <crime> became noticeable; 

<end> is an integer and the time that the <crime> ended. 
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The five argument behavior fact is the same as the four argument behavior 
fact except that it has an extra argument called <object>. The form of the five argument 
behavior facts is as follows: 

behavior(<intruder>,<crime>,<object>,<start>,<end>). 

The <object> argument is a string and the name of an object, either a file’s name or user’s 
password, that has been altered by the <crime> the <intruder> is suspected of. 

c. Mail Facts 

Like the four and five argument behavior facts, mail facts are also derived 
from the auditfile audit facts. The mail fact contains a complaint from a user to root about 
a file in a directory or a password of a given user. The complaint may be that a file has been 
modified, deleted, or that something strange occius when the given file is executed. K the 
complaint concerns a user’s password, it means that the password has been changed by 
another person, possibly an intruder. An assumption is made that a user can send a mail to 
root even though their password has been changed. The mail facts are initially stored in 
the following data structure in the audit file in the <result> argument of the audit fact: 

bad(<filename>,<directory>).or bad(password,<user>). 

where 

<filename> is the name of a file in the system; 

<directory> is the name of the directory in which this particular file resides; 
and <user> is the name of a user on the system. This data structure is changed by the 
checkfiles routine into another form and is stored in the database as: 
mail(<from>,<to>,<time>,<message>). 

where 

<from> is the name of the user who sent the <message>; 

<to> is the name of the user who receives the <message>; 

<time> is the time the <message was sent by <from>; 
and <message> is the mail message in the same form as the bad predicate. 
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3. Miscellaneous Facts 


a. Insecure_Password Facts 

The insecure_password fact is a simple data structure which is part of the 
initial files IDTS uses to initialize the system. They let the tutoring system know which 
users have insecure passwords. These facts are contained in files module. Their data 
structure is as follows: 

insecure_password(<user>). 
where <user> is the name of any user in the system. 

E. IDTS MAIN MODULE - INTRUDER 

1. Initializing the Start State 

In order to run IDTS, the start_state of the tutor must be initialized. This is 
accomplished by the subroutine checkfiiles in the intruder module. The checkfiiles 
subroutine is called by the main outer loop start of the tutor. Start not only calls checkfiiles, 
but is also displays the audifiile and mail received by root, asserts a graphicsflag, and calls 
the main loop go of the metutorSO module. 

a. Checkfiles 

The checkfiiles subroutine systematically loops through the audifiile 
“looking” at every audit fact. Figure 4 shows how this is done. Depending on the 
command in the audit fact, either nothing is done or one of the seven subroutines in 
checkfiiles is executed. These seven subroutines will now be described. 

The rm_star subroutine deletes all files in a given directory by asserting a 
deleted_file fact in the database for each file fact in the directory where the ‘”rm 
^’’command is issued. To simulate the action of actually deleting a file, rm star then 
retracts each file fact in the given directory. By first asserting the deleted_file fact in the 
database, the original seven arguments of the file fact are preserved. Preserving these 
arguments is necessary if a deleted file is to be restored from backup. 
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Figure 4: Checkfiles Routine 

The file_deleted subroutine handles a command argument in an audit fact 
of the form “rm Filename,” where Filename is any existing file. Like rm_star,filejieleted 
asserts a deleted_file fact, and then simulates deleting the fUe by retracting the file fact. In 
dir_deleted a deleted_dir fact is asserted vice a deleted_file fact. 

If an audit fact has the command argument “emacs Filename” then the 
^nhxmxmtfilejnodified asserts a niodified_file fact in the database for “Filename,” thus 
preserving the original state of the file in case it needs to be restored from backup later. 
The original file fact is then retracted and a new file fact with the modified size and time is 
asserted. If the same file is modified more than one time in the audit file, the second time 
it is modified, that is the command “emacs Filename” is issued more than once, the 
snhxov^m^filejnodified will fail. The reason for this failure, is only one modified_file fact 
should be asserted into the database, since there can only be one set of file arguments to use 
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to restore from backup. It should be noted that the current state of the file will always 
reflect the most recent modifications. 

The newjile subroutine handles the case when a file is created, or if an 
audit fact has a command argument of the form “emacs Filename,” where Filename is any 
non-existing file. A new file fact is asserted into the database. Five of the seven file fact 
arguments are taken directly from the audit fact: Filename, Directory, User, Size, and 
Time. The Type and Protection arguments of the new file fact are given the default values 
of “text” and “-rw-r—r--” respectively. 

The copiedJile subroutine creates a new file in the given path with the same 
size, type, protection, and time last modified as the original. The filename, directory, and 
owner may vary. The file may be copied to another directory in the same account as the 
file being copied, or it may be copied to another account; the subroutines samejjccount and 
dijferent_ciccount handle these situations respectively. A new file fact is asserted in the 
database. 

Finally, the subroutine mail_recvd manages mail messages to root. This 
command causes mail_recvd to assert a mail fact into the database. 

b. Forming Start State List 

When the checkfiles subroutine is done, the initial start_state list can be 
formed by collecting facts into small lists by the utilities nice_bagof and nice setof, 
written by Professor Rowe, and appending them together. 

In addition to the facts asserted during the execution of the checkfiles 
subroutine, file, behavior and insecure_password facts as weU as the fact that the backup 
tape is stored, are appended to the start_state list. The file facts are those after the checkfiles 
subroutine has been executed; therefore, any files created, deleted or modified as a result 
of this subroutine s execution will be reflected. The behavior facts are determined by the 
behavior rules for suspicious and blatant malicious behavior in the rules module. The 
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specifics of how these behavior facts are determined will be discussed in detail later. The 
insecure_password facts are given in ihQ files file. 

2. Initializing the Goal State 

The goal of the Intrusion Detection Tutoring System is for the user to identify any 
suspicious and or malicious behavior based on a review of the audit file and mail received 
by root and to correct any of this observed behavior. Additionally, the user should ensure 
that there are no insecure passwords, the system backup tape is stored properly, and the 
password cracker has been executed at least once. 

The goal of the tutor as stated above has to be put into a form the tutor can use. Like 
the start_state, the goal is in the form of a list. The first and main part of the goal is to not 
have any behavior facts true; therefore, the goal contains a list of behavior facts preceded 
by the word “not.” This is accomplished by taking advantage of the subroutines 
suspicious_behavior and notjtem. Suspicious_behavior yields a list of behavior facts; 
notjtem takes this list and returns a list of not(behavior) facts. Similarly, to obtain the 
goal of no insecure passwords, a list of insecure_password facts is run through the 
notjtem subroutine yielding a list of not(insecure_password) facts. The second part of 
the goal is easily satisfied by appending: 

[stored(backup,tape),executed(password,cracker)]. 

3. Output 

There are two main output subroutines used in the main outer loop start of the tutor, 
auditfile and mail. The auditfde subroutine sorts the contents of the audit file alphabetically 
and chronologically, and outputs it at the beginning of the tutoring session. The mail 
subroutine sorts the messages received by root alphabetically and prints them to the screen. 
Both auditfile and mail use the subroutine fixedJength_concatenate from the module 
filetree to assist in output formatting. 
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F. RULES MODULE 


1. Behavior Rules 

The rules module uses four and five-argument behavior rules to determine 
suspicious and or malicious behavior based on the audit file facts in a chronologically 
sorted audit file. There are nineteen behavior rules that detect eleven different types of 
intruder behavior. The behavior rules are only invoked at the tutor’s initialization. They 
address three types of intruders; 

1. someone who has guessed the root password 

2. someone who has guessed another user’s password 

3. someone who is a malicious insider 

An intruder is recognized by one of five ways: 1) they successfully executed the su 
command and they are not root; 2) they guessed another user’s password, and there is 
evidence of a concurrent login or they changed the user’s password; 3) they copied and or 
edited the system password file “passwd” successfully; 4) they successfully copied and or 
edited a file belonging to another user in the other user’s account; and 5) they successfully 
edited a system executable file located in the “bin” directory. 

They find evidence for the following types of intruder behavior: 

•an intruder maliciously deleted a file 

(Root receives a message from a user that one of their files has been deleted, and 
there is evidence in the audit file that someone else has deleted it By “maliciously” 
deleted what is meant is that an intruder has deleted, in this case, a file that does not 
belong to him. He was able to delete it by either by becoming super-user or by 
simply going to the directory where the file resides and deleting it. In the general 
sense, anytime an object, either a user’s file or password, is changed or deleted by 
a user who does not own it, it is considered “malicious” behavior.) 

•an intruder copied the system password file 

is evidence in the audit file that the password file has been copied by some 

user.) 
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•an intruder edited the system password file 

(There is evidence in the audit file that the password file has been edited by some 
user.) 

•an intruder maliciously changed user password 

(Root receives a message from a user that their password has been changed.) 

•an intruder inserted a Trojan Horse 

(Root receives a mail message that a system executable file is bad, and there is 
evidence in the audit file that it has been modified by some user by a given amount. 
In IDTS, a Trojan Horse is defined as 1024 bytes change in an executable file.) 

•an intruder maliciously modified file 

(Root receives a message from a user that one of their files has been modified.) 

•a compromised root password exists 

(A user other than root has successfully executed the su command or there is a 
concurrent login of root.) 

•a compromised user password exists 
(There is a concurrent login of a user.) 

•a possible Trojan Horse exists 

(Root receives a mail message that a system executable file is bad, and there is 
evidence in the audit file that it has been modified by some user.) 

•a possible intruder exists 

(There is evidence in the audit file that a user is repeatedly trying to execute the su 
command.) 

•a possible compromised user password exists. 

(There is evidence in the audit file of a suspicious login by a user.) 

Two important subroutines used by the behavior rules are concurrent login 
and suspicious. The subroutine concurrentJogin is used by the behavior rules to 
determine if a user is logged on twice. It compares a user’s login and logout times to see 
if there is a case when there are two login times where no logout time exists between them. 
The suspicious subroutine is used to determine when a legitimate user or intruder has 




repeatedly failed executing a particular command. There are three suspicious commands 
that the behavior rules look at: logins and the use of the su command. If the command fails 
more than some pre-determined threshold, then it is considered suspicious behavior. 

G. OPERATORS MODULE 

This module stores the predicates required by metutorSO to tutor the student: 
recommended, precondition, addpostcondition, and deletepostcondition. The possible 
student actions and their recommending circumstances are stored in the recommended 
predicate. In order to use one of these recommended actions, the student and tutor must 
ensure that certain preconditions are met. A list of preconditions for each operator action 
is in the precondition predicate. After an operator action has been selected by the student 
and executed by the tutor, any postconditions associated with the operator action are placed 
in the current state of the system. These postconditions are stored in the addpostcondition 
predicate. The deletepostcondition predicate is used to delete a fact from the current state 
after the associated operator has been applied to the current state of the system. In IDTS, 
the most important actions are those which remove the intruder behaviors from the states, 
and move the student closer to the goal. 

The recommended operators in IDTS were developed from reviewing system 
administrator responsibilities in intrusion detection in [Ref. 8]. The following is a list of 
IDTS operators available to the student: 

•restore the system password file “passwd” from backup 

•change the permissions on the “passwd” file 

•change the root password 

•remove a Trojan Horse from a file 

•compare a file for a Trojan Horse with its backup version 

•confront a user 

•restore a user’s password 

•issue a new user password 

•examine a user’s password 

•investigate a user’s password 
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•restore the modified file X from backup 
•restore the deleted file X from backup. 

•check the permissions on a file 
•execute the password cracker 
•change the password for a user 
•find the file X on the backup tape 
•locate the backup tape 
•load the backup tape 
•store the backup tape. 

A student uses these operators to reach the goal of no intruder behavior in the state. 
For example, if an intruder had maliciously deleted a file belonging to another user, the 
tutor would recommend the “restore the deleted file X from backup.” operator to remove 
the behavior fact “behavior(Intruder,’maliciously deleted file’,X,Timel,Time2)” from the 
current state. In order to apply the “restore” operator, the precondition “found the file X on 
the backup tape” must be satisfied which means the student needs to apply the “find the file 
X on the backup tape” operator; however, this also has a precondition of “loaded the backup 
tape,” and so on. Figure 5 shows all the steps to remove the fact 
“behavior(Intruder,’maliciously deleted file’,X,Timel,Time2)” from the state. 


locate the backup tape load the backup tape find the file X on the backup tape restore the deleted file X from backup 



Figure 5; Example of Using Operators to Remove Intruder Behavior 

By applying the appropriate operators, the student will ultimately reach the point 
where all intruder behavior has been addressed and system administrator responsibilities 
are completed, like storing the backup tape if it was loaded to restore a file from backup. 
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At this point, the tutor will exit with congratulating the student on successfully finishing 
the lesson. 
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V. DISCUSSION OF RESULTS 


A. IDTS PERFORMANCE 

Four runs of IDTS were conducted with different sized test audit files containing a 
variety of intruder behaviors. The first run used an input audit file written by the author. 
The other runs used input audit files generated by the threat modeling program written by 
LT Christopher Roberts described in [Ref. 11]. The input audit files used and scripts of 
each run are contained in Appendix B. A discussion of the results of these runs follow. 

1. Run 1 

The first run of IDTS used a one hundred and seven audit fact test audit file. All 
eleven different types of intmder behavior modeled in IDTS described in Chapter IV were 
present in the test audit and were detected. These eleven types of behaviors were found in 
twenty behavior facts determined by the IDTS rules. The memory required for this run 
totalled 4,188,640 bytes, and had a runtime of 81.7 seconds. 

2. Run 2 

The second run of IDTS used a test audit file consisting of one hundred and ninety- 
five audit facts. Upon execution of IDTS, ten behavior facts were found, correctly 
detecting six different types of intruder behavior. There was a user, “doe,” who 
successfully added an executable file to root’s “bin” directory. IDTS does not model this 
type of intruder behavior; however, it is something to consider for IDTS’s future. Also, 
removing any copies of the system password file “passwd” could be modeled in future 
versions of IDTS. The memory required for this run totalled 2,353,632 bytes, and had a 
runtime of 40.5 seconds. 

3. Run 3 

The largest audit used contained two hundred and nineteen audit fact test audit file, 
and was generated with similar parameters as the audit in run 2. IDTS correcdy identified 
seven different types of intruder behavior from the behavior rules firing and finding 


27 




fourteen behavior facts. Again, the system password file was copied, but the copies 
remained in the directories to where they were copied. The memory required for this run 
totalled 2,484,704 bytes, and had a runtime of 40.3 seconds. 

4. Run 4 

The fourth run of IDTS was performed on a two hundred and ten audit facts input 
file, and was generated with similar parameters as the audit in run 2. Ten behavior facts 
were found by the IDTS rules, correctly identifying five different types of intruder 
behavior. The memory required for this run totalled 2,222,560 bytes, and had a runtime of 
26.9 seconds. 

5. IDTS Tutoring Performance 

The goal of the tutor is to have the student remove any intruder behavior found by 
the IDTS rules, execute the password cracker, remove any insecure user passwords that 
result from executing the password cracker, and ensure the backup tape is stored. For 
example, in run 1 all eleven types of intruder behavior were present in the input audit file. 
The tutor will expect the student to select the appropriate actions to remove these behaviors. 
In this run, the student starts by selecting the operator “execute the password cracker.” It 
finds that there are only two passwords known to be insecure. Again the tutor will expect 
the student to remove these behaviors. By applying the appropriate action, “change the 
password,” for each user with an insecure password, the student accomplishes this. The 
student in run 1 systematically removes all behaviors by restoring files, examining and 
changing passwords, confronting users, as well as completing the required system 
administrator actions, like properly handling the backup tape. After all behaviors and 
insecure passwords are removed, the password cracker is executed, and the backup tape is 
stored, the tutor congratulates the student for having done the job. 

In all runs, the tutor correctly tutored the student, and the student was able to 
remove all behaviors detected by the IDTS rules and complete all required system 
administrator duties like executing the password cracker. 
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B. HARDWARE AND SOFTWARE REQUIREMENTS 

The source code for IDTS requires 38,561 bytes. Including an average-sized input 
audit file (100 audit facts) and the initial system files file, this size increase to 
approximately 49,500 bytes. Since it is written in Quintus Prolog, a Prolog compiler is 
necessary to run this application, which increases the space requirements. IDTS can run 
without the graphical user interface provided by the programs megraphSO and filetree to 
reduce space requirements of the windowing environment of XWindows. 
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VI. CONCLUSIONS AND FUTURE RESEARCH DIRECTIONS 


Intrusion detection is a very big problem, and will more than likely be a problem in 
the future. There are too many variables involved with determining if a system has come 
under an attack by an intruder. Although there are automated intrusion detection systems 
available, they do not always detect intruder behavior and are susceptible to false negatives 
and false positives. The final burden to find the intruder ultimately falls upon the system 
administrator. The system administrator should then understand how to analyze audit trail 
information. The IDTS is a tool which can assist the system administrator in learning how 
to analyze an audit trail and detect an intruder based on this analysis. 

A. PROGRAM CONTRIBUTIONS 

To date, IDTS is the first intelligent tutoring system focused on intrusion detection. 
It has nineteen behavior rules that capably and correctly detect eleven different types of 
intruder behavior, as demonstrated by the test runs in Appendix B. IDTS is flexible and 
has the ability to tutor a student in different scenarios by means of using multiple audit files. 

B. PROGRAM WEAKNESSES 

The behavior rules that are part of IDTS have been tested on only a few sample audit 
files, and require a more thorough testing. They detect behavior that has been written to 
match them. For example, the rules did not detect the user “doe” from run 2 who planted 
an executable file (possible virus) in the “bin” directory. This is definitely a rule which 
should be included in future versions of IDTS. IDTS also does not have any statistical 
anomaly detection capability. This is a difficult obstacle for IDTS to overcome, since it 
concerns itself exclusively with logical reasoning and it is built on a virtual environment. 
Anomaly detection could perhaps be simulated, but requires considerable overhead 
required to maintain and train profiles. Finally, IDTS is not system independent; the rules 
are written for UNIX systems. 
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C. FUTURE RESEARCH DIRECTIONS FOR IDTS 

The best way to improve IDTS would be to make it a more generic intrusion- 
detection tutoring system. This would mean it would have to be system independent. A 
possible solution would be to incorporate NIDES detection rules into IDTS to find the 
intruders. Then the other parts of IDTS along with the metutorSO module would tutor the 
student based on the intruder behavior detected by NIDES. Also, by using NIDES the 
problem of IDTS lacking anomalous detection capability would be solved. 

Additionally, more rules and operators should be added to make IDTS more 
comprehensive. Rules to detect numerous file “permission denied” errors and numerous 
cd command executions could be modeled. Also, rules as well as operators dealing with 
intruders who penetrate systems via modem or rlogins could and should be incorporated in 
IDTS. More operators on networking and system administrator responsibilities should be 
added too. For example, operators like terminating network connections and closing 
firewalls when an intruder is suspected could be added. As for system administrator 
responsibilities, operators such as removing copies of the system password file, checking 
for dormant accounts, killing processes, disabling accounts, and informing the authorities 
can only enhance IDTS and make the student a well-rounded system administrator. 
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APPENDIX A: IDTS SOURCE MODULES 


This appendix contains the source code for IDTS. 


Tab 1. IDTS Main Module — Intruder 

Tab 2 IDTS Rules Module 

Tab 3. IDTS Operators Module 

Tab 4. IDTS Files Module 

Tab 5. IDTS Sample Auditfile Module 
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TAB 1. IDTS MAIN MODULE - INTRUDER 


/************* ************±*****ititii**1t1tit**1Hticitii**1t1t****1,i,i,^^1t1titit**1,1t1t^i,*1i* 

/* Intrusion-Detection Tutoring System Progretm (IDTS) 

/* LT Sandra J. Schiavo, U.S, Navy, Naval Postgraduate School, Monterey CA 

/* IDTS Main Interface — Version 1 
/* 

To run IDTS, load *this* module and query; 


/* 

/* 

/* 

/* 

/* 

/* 

/* 

/* 

/* The main interface module initializes IDTS by passing and passes the 
/* state and goal to the metutor30 module. 


: - start, 

NOTE; To run IDTS with an XWindows graphical user interface query: 
:- winstart. 


******** ^ 
*/ 

93940 */ 

r******* ^ 

*/ 

♦/ 

*/ 

*/ 

*/ 

*/ 

*/ 

*/ 

*/ 

*/ 

Start ♦/ 
******* / 


;-ensure_loaded(metutor30),as8erta(writeli8t_prednum(l)), 
ensure_loaded(auditfile), 
ensure_loaded(filetree), 
ensuro_loaded(rules), 
ensure_loaded(files), 
en8ure_loaded(operators). 


^***** 


/* The singular predicate is used 

/**********************itit********* 


to help with verb tense of the output * 

***‘^**************************it***********'it-itmti,it 


/ 

/ 

/ 


8ingular(behavior(A,B,C,D)). 
singular(behavior(A,B,C,D,E)). 
singular(adams), 
singular(evems), 
singular(jones). 
singular(davis). 


/4 

/- 

/* 

/* 

/* 

/* 

/* 

/* 

/* 

/* 

/* 

/. 








These predicates are hidden from the user. They are used by the tutor. 


behavior/4 
behavior/5 
file/7 

deleted_dir/7 
deleted_file/7 
modified_file/7 
insecure^password/1 


****** y 
*/ 
*/ 
*/ 
*/ 
*/ 
*/ 
*/ 
*/ 
*/ 
*/ 
**/ 


hidden(behavior(A,B,C,D)). 
hidden(behavior(A,B,C,D,B)), 

hidden(file(Name,Owner,Parent,Type,Size,Protection,Modified)). 
hidden(deleted_dir(Name,Owner,Parent,Type,Size,Protection,Modified)). 
hidden(deleted_file(Name,Owner,Parent,Type,Size,Protection,Modified)). 

hidden(modified_file(Name,Owner,Parent,Type,Size,Protection,Modified)). 
hidden(insecure_pas8word(User)). 


/ 


/ 


36 







/* tJBGrcoinmand allows for its argument to be used an appropriate action for the */ 
/* student. */ 

/•*********»*****************************i<k**»********#*»**********************»***y 

us ercoinmand( audit file). 
usercoxnmand(mail} . 


intro(' 


* To see a list of possible actions, type the letter "h*^ or the word * 

* "help." To review the audit file or your mail at anytime, type the * 

* word "auditfile" or "mail" respectively. * 

* * 
***************************«****«********************«*«««««**««««*««««, 


)* 


winstart:- asserta(graphicsflag),auditfile,checkfiles,mail,go. 
start:- auditfile,checkfiles,mail,go. 


..*.***.**.****.********.**..*.*****/ 

/* The start state and goal passed to the metutorSO module to tutor student. */ 
/********♦*************************♦***********♦*********************************/ 

start_state(Start):- 

nice^bagof(file(A,B,C,D,B,F,G),file(A,B,C,D,B,F,G),Files), 

mail_received(Mail), 

append(Files,Mail,LI), 

file8_deleted(Fl), 

append(LI,Fl,L2), 

dirs_deleted(Dirs), 

append(L2,Dirs,L3), 

rm_files_deleted(RFl), 

append(L3,RFl,L4) , 

filGS_modified(F2), 

append(L4,F2,L5), 

su8piciou8_bGhavior(Behavior), 

append(L5,Behavior,L6), 

insecure(Passwords), 

append(L6,Pas swords,L7), 

append(L7,[stored(backup,tape)],Start),file_display_init(Start). 

goal(Goal) 8U8piciou8__behavior(Behavior) , 
insecure(Passwords), 
not_item(Behavior,NotList1) , 
not_item(Passwords,NotLi8t2), 
append(NotList1,NotList2,NotList), 

append(NotList,[stored(backup,tape),executed(password,cracker)],Goal). 


..... 

/• IDTS initializing routine: checkfiles »/ 

.. 


checkfiles:- not(checkedfiles). 
checkedflies:- 

audit(User,Time,Path,Command,Result), 
(file_deleted(Command,Fl); 
dir_deleted(Command,Dir); 
rm_etar (Command, Path); 
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file_modified(Time,Path,Command,Result,F2); 
new_file(User,Time,Path,Command,Result); 
copied_file(User,Time,Path,Command,Resuit); 
mail_recvd(User,Time,Command,Result)),fail. 


/**********-^********^*******'k**^^*1t1ti,.ic1,iHtit‘t*1t**1titimit*1t*±**ititiHt1t* 

/* Checkfiles subroutines 

/****************************^-^^iticiiiHiit±^^itiHt^m,iiit*it1t*iHt*1t*iHtit1tiHt 


* 


/ 

/ 

/ 


files_deleted(Files) 

nice_setof(deleted_file(F,Parent,Owner,Type,Size,Protection,Modified), 
deleted_file(F,Parent,Owner,Type,Size,Protection,Modified),Files). 


file_deleted(Command,File) 

make_list(Command,Irm,File]), 

file(File,Parent,Owner,Type,Size,Protection,Modified), 

(Typ®=text;Type=executable), 

asserta(deleted_file(File,Parent,Ovmer,Type,Size,Protection,Modified)), 
retract(file(Pile,Parent,Owner,Type,Size,Protection,Modified)). 


dirs_deleted(Dirs):~ 

nice_setof(deloted_dir(Dir,Parent,Owner,Type,Size,Protection,Modified), 
deleted_dir(Dir,Parent,Owner,Type,Size,Protection,Modified),Dirs). 
dir_deleted(Command,Dir)j- 

make_list(Command,[rmdir,Dir3)/ 

file(Dir,Parent,Owner,Type,Size,Protection,Modified), 

Type=directory, 

asserta(deleted_dir(Dir,Parent,Owner,Type,Size,Protection,Modified)), 

retract(file (Dir, Parent,Owner, Type,Size, Protection,Modified)). 


rm_files_deleted(Files) 

nice_setof(deleted_file(F,Parent,Owner, ^Vpe,Size,Protection,Modified), 
deleted_file(F,Parent,Owner,Type,Size,Protection,Modified),Files). 

rm_8tar(Command,Path) 

niake_list (Command, [rm, *] ) , 

file (File, Path, Owner, Type, Size, Protection, Modified) , 

(Type=text;Type=executable), 

asserta(deleted_file(File,Path,Owner,Typo,Size,Protection,Modified)), 
retract(file(File,Path,Owner,Type,Size,Protection,Modified)). 

filos_modified(Files)i- 

nice_setof (n>odified_filo (File,Parent,Owner,Type,Size,Protection,Modified), 
niodified_file (File,Parent,Owner,Type,Size,Protection,Modified),Files) . 
®o^ifi«d(Time,Parent,Command,Result,File):- 
make_list(Command,temacs,File3), 

file(File,Paront,Owner,Type,Size,Protection,Modified), 

(Type =:text;Type=executable) , 

not (modifiod_file (File, Parent,Owner,) , 

asserta(modifiod_file(File,Parent,Owner, Oype,Size,Protection,Modified)), 
retract(file(File,Parent,Owner,Type,Size,Protection,Modified)), 
asserta(file(File,Parent,Owner, Type,Result,Protection,Time)). 

file_modified(Time,Parent,Command,Result,File):- 
niake_list (Command, [emacs,File] ) , 

file(File,Parent,Owner,Typo,Size,Protection,Modified), 

(Typo=text; Type=execut 2d3lo) , 

retract(file(File,Paront,Owner,Type,Size,Protection,Modified)), 
asserta(file(File,Parent,Owner, Type,Result,Protection,Time)). 
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iiew_f ile (User,Time,Parent, Command,Result) ; - 
make_li8t(Command,[emac8,File]), 

not(file(Pile,Parent,),not(Parent=bin), 

asserta(file(File,Parent,User,text,Result,'-rw-r—r--',Time)). 

new_file(User,Time,Parent,Command,Resuit):- 
niake^list (Command, [emac8,File]) , 
not(file(File,Parent,),(Parent^bin), 

asserta(file(File,Parent,User,executable,Result,'-rw-r—r—',Time)). 

copied_file(User,Time,Parent,Command,Result):- 
make^list (Commcmd, tcp/File, Path]), 

(different_account(User,Time,Parent,Command,Result,File,Path); 
aame_account(User,Time,Parent,Command,Result,File,Path)). 

dif ferent_account(User,Time,Parent,Command,Result,File,Path) t - 
inake_path_list (Path, [XlList]), 
tilde_word (X, Owner), 

file(File,Parent,_,Typ®/Size/Protection,Modified), 

(Type=text;Type=executable), 

not (file (File,Owner,Owner,), 

asserta(file(File,Owner,Owner,Type,Size,Protection,Modified)). 

same_accoiant (User,Time,Parent,Command,Result,File,Path) x - 
®®ke-P®th_list (Path,List) , 
last (List,NewFile) ,next_to_la8t (List,Dir), 
file(File,Parent,User,Typo,Size,Protection,Modified), 

(Type=text ;Typo=executzJ3le), 
not (file (File,Dir,User,), 

asserta(filo(File,Dir,User,Typo,Size,Protection,Modified)). 

niail_recvd(U8er,Time,Command,Result) : - 
make^list(Command,[mail,root]), 
asserta(mail(User,root,Time,Resuit)). 

8uspicious_behavior(Behavior) 

nice^setof(behavior(User,Crime,Timol,Timo2) , 

Crime*Timel*Time2^behavior(User,Crime,Timel,Time2),B1), 
liice^setof (behavior (User,Crime,File,Timel,Time2) , 

Crime^Pile^Timol^Timo2^behavior(User,Crime,File,Timol,Timo2),B2), 
append(B1,B2,B3), 
remove_behavior(B3,Behavior). 

romove_behavior(List,Answer):- 

member(behavior(User,Crime,T1,T2),Li8t), 
member(behavior(Userl,Crime,T5,T6),Li8t), 

(not(U8or=U8orl);not(T1=T5);not(T2=T6)),!, 
delete(behavior(Userl,Crime,T5,T6),Liot,NewList), 
romove_behavior(NowList,Answer). 

remove_behavior(List,Answer):- 

member(behavior(User,Crime,Object,T1,T2),List), 
member(behavior(Userl,Crime,Obj ect,T5,T6),List), 

(not(UsersUserl);not(Tl=T5);not{T2=T6)),!, 

delete(behavior(Userl,Crime,Obj ect,T5,T6),List,NewList), 

romove_behavior (NewList,Answer) . 

remove_bohavior (List, List) . 

insecure(Passwords) 

bagof(in8ecure_password(User),insecure^password(User),Passwords). 
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xaail_received(Mail) : - 

ixice_fletof (mail (User, root, Time,Result) , 
Time-^Result^maiKUser,root,Time,Result) ,Mail) . 


/**********»»**************^***^***^^*^**,^^*^^ 

/* Utility routines 




*/ 

*/ 

*/ 


not_item(List,NotList) not_iteml(List, [],NotLi8t) . 

xiot_iteml( [],List,List) . 

^ot_iteml ( [AlList],ItemList,Answer) i- . [not,A], 

not_iteml(List, [F 1 ItemList],Answer) . 

next_to_last(List,X):- 
append(_,[X,Y],List),1. 


/* Output routines: auditfile and mail 


auditfile:- 
write (' 


AUDIT FILE * 

* 

The following displays the current contents of the audit file: * 

* 

) /Ul, 


write(' 

Name Time Path Command Result')/nl,nl, 

view_audit,nl. 

view_audit:- not(reviewed_audit). 
reviewed_audit:- 

bagof(audit(User,Time,Path,Command,Result), 
audit(User,Time,Path,Command,Resuit),List), 
sort(List,sorted)/member(audit(User,Time,Path,Command,Result),Sorted), 
fixed_length_concatenate(User,Time,15,Stringl), 
write(Stringl),write(' '), 

fixed_length_concatenate(Path,Command,25,String2), 
write(String2),write(' '), 

write(Result),nl,fail. 


mail:- 

write(' 

********♦*****<>*********♦11 




MAIL RECEIVED 

* 

* The following displays mail received by root: 

* 

') / Hi/ 


write(' 

Prom To Time 

nl, nl, read_inail, nl. 


Problem(File,Directory)'), 
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read_mail:- not(read). 
read: *- 

bagof(mail(User,root,Time,Problem), 
mail(User,root,Time,Problem),Li8t), 
sort(List,Sorted),member(mail(User,root,Time,Problem),Sorted), 
mail(User,root,Time,Problem), 

fixod_length_concatenate(User,'root',15,Stringl), 
write(Stringl),write(' '), 

fixed_length_concatenate(Time,'',6,String2), 
write(String2),write(' ')/ 

write(Problem),nl,fail. 
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TAB 2. IDTS RULES MODULE 


/* Intrusioa-Detection Tutoring System (IDTS) * 

/* LT Sandra J. Schiavo, U.S. Navy, Naval Postgraduate School, Monterey CA 93940 * 

i ********* -Hit 

/* IDTS Rules Module * 


/* This module contains the behavior rules which detect suspicious and * 
/* mailicious behavior present in the auditfile, and the various subroutines * 
/* used in them. ^ 

/*************»***************^**^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 


/ 

/ 

/ 

/ 

/ 

/ 

/ 

/ 

/ 

/ 




Behavior Rules 








/ 

/ 

/ 


behavior(Intruder,'maliciously deleted file',File, Tl, Tl) :- 
audit(Intruder,PI,Timel,Cl,ok), 
make_list(Cl,tcd,X]), 
tilde_word(X,U8er) , 
audit(Intruder,Tl,Dir,C2,ok), 
iiiake_li8t(C2, Crm,File] ) , 
not(audit(User,Time,Dir,C2,ok)), 

deleted_file(File,Dir,Owner,Type,Size,Protection,Modified). 


behavior(Intruder,'maliciously deleted file',File, Tl, Tl) 
audit(Intruder,_,Timel,Cl,ok), 
make_list(Cl,[cd,X]), 
tilde_word(X,U8er), 
audit(Intruder,Tl,Dir,C2,ok), 
make_list(C2,[rm, *]) , 
not(audit(User,Time,Dir,C2,ok)), 

deleted_file(File,Dir,Owner, Type ,Size,Protection,Modified). 


/* 

/* 

/* 

/* 

/* 


System Administrator receives mail from a User saying a File was 

deleted by someone else.Case where malicious user cd's 
over to person's account. 


behavior(Intruder,'maliciously deleted file',File, Tl, T2) :- 
audit(User,T2,P,'mail root',Message), 

Me88age=..[bad,File,Dir], 

audit(Intruder,PI,Timel,Cl,ok), 

make_list(Cl,[cd,X]), 

tilde_word(X,U8er), 

audit(Intruder,Tl,Dir,C2,ok), 

inake_li8t(C2, [rm,File] ) , 

not(audit(User,Time,Path,C2,ok)). 


*/ 

*/ 

*/ 

*/ 


/* System Administrator receives mail from User saying Piles were 
/* maliciously deleted by someone else.Case where malicious user cd'i 
/* over to person's account emd uses "rm *" to delete all files in a 
/* directory (Dir). 
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/********** **********»********************************************»*******^******y 

behavior(Intruder,'maliciously deleted file',Pile, Tl, T2) i- 
audit(User,T2,_,'mail root',Message), 

Messages..[bad,Dir], 

audit (Intruder,_,Time 1,Cl,ok) , 

iMdce^list (Cl, [cd,X] ), 

tilde_word(X,D8er), 

audit(Intruder,Tl,Dir,C2,ok), 

medce^list (C2, [rm, *]), 

not (audit (User,Time,Dir,C2,ok) ), 

T1<T2, 

deleted_file(File,Dir,Owner,Type,Size,Protection,Modified). 


/ 

/ 

/ 

/ 


System Administrator examines audit file and sees that the password file */ 

has been copied or edited by some user(Intruder). */ 


behavior(Intruder,'copied password file', Tl, Tl) 
audit (U8er,Tl,etc,Coinnumd,ok), 
make_list (Command, [cp,passwd,Xl) / 
make__path_list (X, [YlList]) , 
tilde_word{y,Intruder). 

behavior(Intruder,'copied password file', Tl, Tl) 
audit(Intruder,Tl,etc,Command,ok), 
make_list(Command,[cp,passwd|Li8t]). 

behavior(Intruder,'edited password file', Tl, Tl) x- 
audit(Intruder,Tl,etc,Command,Number), 
niake^list (Command, [emac8,pa8swd]) . 


/♦ System Administrator examines audit file and sees a auspicious login emd */ 

/* possible compromise of some user(User)'s password. */ 


behavior(User,'possible conpromised user password',User,Tl, T2) 
suspicious(login,User,Time,Tl), 
audit(User,T2,Path,Command,ok), 
xnake^list (Command, [login,User]) , 
time_difference(T1,T2). 


/* System Ad m i n istrator examines audit file and sees two users logged on at */ 
/* the same time with the same user neune. */ 
.. 

behavior(User,'compromised user password',User,Tl, T2) x- 
concurrent_login(U8er,Tl,T2). 


/**.***********************************************^^.***^^*^^^^.^^^^^^^ 

/* System Administrator receives mail from U8er(X) saying that he cannot 
/* login due to his password being changed. 

/• 

/* Case 1: Intruder becomes root and changes user password. 


*/ 

*/ 

*/ 

*/ 

*/ 
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Case 2: Intruder masquerades as user and changes password. 


**************/ 


/* Case 1 */ 


behavior(Intruder,'maliciously changed user password',User,Tl, T2) :- 
(User, T2, Path, 'mail root',Message) , 

Messages..[bad,password,User], 
not (audit (User,_,_,yppa8swd,ok)), 
audit(Intruder,_,_,Cl,ok), 
mako_list(Cl,Icd,X]), 
tilde_word(X,U8er), 
audit(Intruder,Tl,User,yppasswd,ok). 


/* Case 2 */ 


behavior(User,'maliciously chzmged user password',User,Tl, T2) :~ 
audit(User,T2,P,'mail root',Message), 

Messages..[bad,password,User], 
audit(User,Time,Pathi,Command,ok), 

®3Jc®_list (Command, [login,User]), 

Time<T2, 

audit(User,Tl,Path2,yppasswd,ok), 

Tl>Time,T1<T2. 


/*★****************************^**^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 

/* Intruder has cracked the root password. Assumes only one person can * 

/* be root and must login as root. * 






/ 

/ 

/ 

/ 


behavior(Intruder,'compromised root password', Tl, Tl) :~ 
audit(Intruder,Tl,Path,su,ok), 
not(Intruder = root). 


behavior(root,'compromised root password', Tl, T2) 
concurrent_login(root,Tl,T2). 








!* System Administrator receives mail from user(X) saying that strange * 

/ "things" happen when he runs an executezible. Case when a system executedDle * 
/* has been modified. 




/ 

/ 

/ 

/ 

/ 


behavior(Intruder,'possible Trojan Horse', File,Tl, Tl) :- 
audit(Intruder,Tl,bin,C2,Size), 
make_list(C2, [emacs,File]) , 

modified_file(File,bin,root,executable,_,_,_), 


*/ 

*/ 
*/ 
*/ 

behavior(Intruder,'inserted Trojan Horse',File, Tl, T2) 

(__r T2,Path, 'mail root',Message) , 

Message=..[bad,File,Dir], 
audit(Intruder,Tl,Dir,C2,Size), 


/* System Administrator examines audit file and finds that user(X) has 
/* successfully modified an executeable File by X amount. X in this case is 
/* 1024. 
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make_list(C2,[emacs,File]) 
T1<T2, 

change_in_file(File,1024). 


ch 2 mge_in_file(File,Size) 

file(File,Dir,root,executable,Si2e2,Protection,Modified2), 

modified_file(File,Dir,root,executable,Sizel,Protection,Modifiedl), 

Ch 2 mge is Size2 - Sizel, Change = Size. 


/**********^******1i1e*1iitiHHtiHt1t1t1t^1t**-t1Htitit1t**1t1t***it*****1t***±1k1t***it*ii**it*1t1t1t***it^ 

/* System Administrator receives mail from user{X) saying that some of */ 

/* his files have been maliciously modified. Case when malicious user */ 

f* gains access to U8er(X)'s account by insecure password. */ 

/**•*♦*****♦*****»**»********♦»*•******♦♦*****»**»*******♦#*♦♦*******♦********y 

behavior(User,'maliciously modified file',File/Tl, T2) i- 
audit(User,T2,P,'mail root',Message), 

Messages..[bad,File,Dir], 
suspicious(login,User,Timel,Time2), 
audit(Usor,Tl,Dir,C2,Size), 
mahe.list(C2,[emac8,File]), 

T1<T2. 


/* System Administrator receives mail from U8er(X) saying that some of */ 
f* his files have been maliciously modified. Case where malicious u8er(Y) */ 
/* cd's to user(X)'s directory and modifies file directly. */ 


behavior(Intruder,'maliciously modified file',File,Tl, T2) 
audit(User,T2,P,'mail root',Message), 

Messages..[bad,File,Dir], 
audit(Intruder,Timel,PI,Cl,ok), 
make_list(Cl,Ccd,X]), 
tilde_word(X,Uaer), 
audit(Intruder,Tl,Dir,C2,Size), 
make_li8t(C2,[emacs,File]), 

T1<T2,Timel<T2. 

behavior(Intruder,'maliciously modified file',Pilo,Tl, T2) 
audit(User,T2,P,'mail root',Message), 

Messages..[bad,File,Dir], 

audit(Intruder,Timel,PI,Cl,ok), 
meOce_liBt (Cl, Ccd,Dir] ) , 
audit(Intruder,Tl,Dir,C2,Size), 
make_list(C2,[emac8,File]), 

T1<T2. 


/* Possible intruder on system due to multiple failed "su*^ commands. ♦/ 


behavior(User,'possible intruderTl, T2) 

suspicious('use of su command',User,Tl,T2). 


. ........... , 

/* Suspicious predicates */ 
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/**********************-k*****^****±***^-^-^.$fk******itlt***it1t*****it±***itltitit**ifk**1e^ 

suspicious(login,User,T1,T2) :- 

repoated_failure(User,Command,Number,Times), 
laaJce^list (Command, [login,User]) , 

(Number >= 3), 

close^times(Times,[XlList]), 
get_times(X,Tl,T2) . 

suspicious('use of su command',User,Tl,T2) j- 
repeated__failuro (User, 8U,Number, Times) , 
not(U8er=root), 

(Number >= 3) , 
get_times (Times, Tl, T2) . 


repeated_failure(User,Command,Number,Failuresl) :- 

bagof (Time, Path'^audit (User, Time, Path,Command, fail) ,Failures), 
length(Failures,Number),sort(Failures,Failuresl). 


/***********-^**ttlt1t*itii*-k**itiiit**1t1Ht*ititlHt*ititit 

/* Time Related Subroutines 




/ 

/ 

/ 


concurrent_login(User,Time1,Time2) :- 
logins(User,Logins), 
logouts(User,Logouts), 

concurrency(Logins,Logout s,Timel,Time2). 
logins(User,Logins) 

nice_bagof(Time,check(login,User,Time),L), 
sort(L,Logins). 
logouts (User, Logouts) 

nice_bagof(Time,check(logout,User,Time),L), 
sort(L,Logouts), 

check(login,User,Time):- audit(User,Time,Path,Command,ok), 
mako^list(Comm 2 md,[login,User]). 


check(logout,User,Time)audit(User,Time,Path,Command,ok), 
iaake_li8t (Command, [logout]) . 


concurrency([X,Y],[],Y,100000). 
concurrency([X],Li8t,X,100000)i- fail,!. 

concurrency([X,YlLi8tl],[2lList2],Y,Z)2 > Y. 

concurrency([X,Y|Listl],[2|Li8t2],Y,2);- 
append([Y],Listl,NewLi8t), 

concurrency(NewList,List2,Y,2). 

concurrency([],[],Number,100000):- fail,!. 

close^times{[X,Y,2 I List],An8):- con^are^times([X,Y,2]), 
clo8e_timesl(List,Y,Z,[[X,Y,2]],Ans). 
close_time8([X,Y,2|List],Ans)j- close^timesl(Li8t,Y,Z,[],Ans), 
closo_time8l([],Y,2,List,List). 

close^timesl { [2 | List] ,X, Y,Newlist, Ans) : - con5)are_time8 ( [X, Y, 2] ) , 
clo8e_timesl(Li8t,Y,2, ([X,Y,2] iNewlist] ,An8) . 
close_timesl( [ZiList] ,X,Y,Newli8t,Ans) 
close_time8l(List,Y,2,Newlist,Ans). 
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coinpare_times ( IT1,T2 ,T3 ]) * - T2-T1<3, T3-T2<3 . 


time_difference(T1,T2):- (T1 - T2)< 5. 

get_logout(User,Logout);- 

not(audit(User,Time,Path,logout,ok)), 
Logout is 100000. 

g 0 t_logout(User,Logout):- 

audit(User,Time,Path,logout,ok), 
Logout is Time. 


.......... 

f* List Subroutines & Other Utilities */ 


make_li8t(String,List)s- name(String,Ll),append(X,[32|Y],L1), 
name (stringl,X), 
niake_li8tl (y, Istringl] ,Li8t) , 1 . 

make_li8t(String,List)name(String,Ll),append(X,IZ|Y],L1),not(Z=32), 
Lists[String],!. 

make_li8tl(List,NewLi8t,An8)!- append(X,[32lY],List), 
name(Stringl,X), 

append(NewList,[Stringl],NewLi8tl), 
make_listl(y,NewLi8tl,Ans),1. 

make_li8tl(List,NewLi8t,Ans)append(X,[ZIY],List),not(Z=32), 
name(Stringl,List), 
append(NewList,[Stringl],An8),!, 

make_path_li8t(String,List)j- name(String,Ll),append(X,[47|Y],L1), 
name(Stringl,X), 

make_path_listl(Y,[Stringl],List),*. 

make_path_li8t(String,List)name(String,Ll),append(X,[ZlY],L1),not(Z=47), 
Lists[String],!. 

make_path_listl(List,NewList,Ans):- append(X,[47|Y],List), 
name(Stringl,X), 

append(NewList,(Stringl],NewListl), 
nwdce_path_li8tl (y,NewLi8tl,An8) , ! . 
make_path_listl(List,NewList,Ans)x- append(X,[ZIY],List),not(Z=47), 
name(Stringl,List), 
append(NewList,[Stringl],Ans), !. 


tilde_word(Dir,Username) x- 
name (Dir, L) , 
first(L,126), 
append([X],List,L), 
n 2 U&e(U 8 erneune,Li 8 t) . 


get_time8(Li8t,Tl,T2)first(List,T1),last(List,T2). 
first([First I List],First). 
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TAB 3. IDTS OPERATORS MODULE 


/*************^****************^***il*1,1,i,iti,l,it^1tit1t±**1,*it*ii1Ht*i,***^*it*^*itii**1t1,^1,itit^^i, ^ 

/* Intrusion-Detection Tutoring System Progreun — Version 1 (IDTS) */ 

/* LT Sandra J. Schiavo, U.S. Navy, Naval Postgraduate School, Monterey CA 93940 */ 

/* IDTS Operators Module 
/* 

*/ 

/* This module contains the four predicates required by the metutor30 module */ 
/* to tutor the student: 

/ * recommended, 

/* precondition, 

postcondition, 
deletepostcondition. 


Recommended Facts * 


recommended([not(behavior(A,'edited password file',T1,T2 ))], 

[behavior(A,'edited password file',Tl,T2)], 
restore(modified,file,passwd,from,backup)), 
recommended([not(behavior(A,'copied password file',T1,T2))], 

[behavior(A,'copied password file',T1,T2)], 
change(permissions,file,passwd)). 
recommended([not(behavior(A,'compromised root password',Tl,T2))], 

[behavior(A,'conpromised root password',T1,T2)], 
change(root,password)), 

recommended([not(behavior(A,'inserted Troj an Horse',File,Tl,T2))), 

[behavior(A,'inserted Trojan Horse',File,Tl,T2)], 
remove('Trojzm','Horse',from. File)). 

recommended([not(behavior(A,'possible Troj^m Horse',File,Tl,T2))3, 

[behavior(A,'possible Trojan Horse',File,Tl,T2)], 
coirpare( file. File, for, 'Trojan', 'Horse', with. File, on, backup, tape) ) . 
recommended([not(behavior(A,'possible intruder',Tl,T2))], 

[behavior(A,'possible intruder',T1,T2)], 
confront(user,A)). 
recommended( 

[not(behavior(Intruder,'maliciously chemged user password',User,Tl,T 2 ))], 
[behavior(Intruder,'maliciously changed user password',User,Tl,T 2 )], 
restore(u8er,password,for,User)), 
recommended( 

[not(behavior(A,'maliciously changed user password',Tl,T2))], 

[behavior(A,'maliciously changed user password',Tl,T2)], 
issue(A,new,user,password)). 

recommended([not(behavior(A,'compromised user password',A,T1,T2))], 

[behavior(A,'compromised user password',A,Tl,T2)3, 
examine(user,password,A)). 

recommended([not(behavior(A,'possible compromised user password',A,Tl,T2))3, 
[behavior(A,'possible compromised user password',A,T1,T2)3, 
investigate(user,password,A)). 

recommended([not(behavior(A,'maliciously modified file',X,T1,T2))3, 

[behavior(A,'maliciously modified file',X,Tl,T2)3, 
restore(modified,file,X,from,backup)). 
recommended([not(behavior(A,'maliciously deleted file',X,Tl,T2))3, 

[behavior(A,'maliciously deleted file',X,Tl,T2)3, 
restore (deleted, file,X, from,bac}cup) ) . 
recommended( (checked (permissions, file ,X) 3 , check (permissions, file, X) ) . 
recommended([executed(password,cracker)3,execute(password,cracker)). 
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recoinineiidod( [not (ins ecure_pas sword (User)) ] , 

[known(insecure,password,for,User)], 
change(password,for,User)). 

recommended([found(file,X,on,backup,tape)],find(file,X,on,backup,tape)). 
recommended([loaded(backup,tape)],load(backup,tape)). 
recommended([located(backup,tape)],locate(backup,tape)), 
recommended([stored(backup,tape)],store(backup,tape)). 


/* Preconditions */ 


procondition(change(permissions,file,X),[not(changed(permissions,file,X)), 
checked(permissions,file,X)]). 
precondition(change(root,password) , 

[not(changed(password,root))]). 
precondition(remove('Trojem','Horse',from. File), 

[re8tored(file,File)3). 

precondition(con^jare(file,File,for,'Trojan','Horse',with,File,on,backup,tape), 
[found(file,File,on,backup,tape)])* 
precondition(confront(user,A), 

[not(confronted(user,A))]). 
precondition(restore(user,password,for,User), 

[not(restored(password,for,User))]). 
precondition(issue(A,new,user,password), 

[not(issued(new,password,to,A))3). 
precondition (ex^aaine (user, pas sword. A) , 

[not(examined(pas8word,A))]). 
precondition(investigate(user,password,A), 

[not(investigated(password,A))]). 
precondition(restore(modified,file,X,from,backup), 

[found(file,X,on,backup,tape)]). 
precondition(restore(deleted,file,X,from,backup), 

[found(file,X,on,backup,tape)]), 
precondition(check(permissions,file,X), []). 
precondition(execute(password,cracker), 

[not(executed(password,cracker))]). 

precondition(change(password,for,User),[not(changed(password,for,User))]). 
precondition(find(file,X,on,backup,tape),[loaded(bac}oip,tape)]). 
preconditiondoad(backup, tape) , 

[not(loaded(backup,tape)),located(backup,tape)3). 
precondition(locate(backup,tape), 

[not (located(backup, tape) ) , stored(baclcup, tape) 3) . 
precondition(store(backup,tape), 

[not(stored(backup,tape))3). 


................../ 

/* AddPostCondition Facts */ 


addpo8tcondition(change(permissions,file,X),[changed(pennissions,file,X)]). 
addpostcondition(change(root,password),[changed(password,root)3). 
addpostcondition(remove('Trojan','Horse',from. File), 

[removed('Trojan','Horse',from. File)3). 
addpostcondition( 

coxi?>are (f ile, File, for, ' Troj an', 'Horse',with. Pile, on,backup, tape) , 
(con5>ared(file,File,for,'Trojan Horse',with,File,on,backup,tape)]). 
addpo8tcondition(confront(user,User),[confronted(user,User)3). 
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addpostcondition(restore(user,password,for,User),[restored(password,for,User)]). 
addpostconditiondnvestigate(user,password,A),(investigated(user,password,A)]). 
addpostcondition(examine(user,password,User),[examined(password,User)]). 
addpostcondition(issue(User,new,user,password),(i8sued(new,password,to,User)]). 
addpostcondition(check(permissions,file,X), (checked(permissions,file,X)]). 

addpostcondition(restore(modified,file,X,from,backup), 

[modified_filo(X,P,0,T,S,B,M)], 

[re8torGd(file,X),file(X,P,0,T,S,B,M)]). 
addpostcondition(restore(deleted,file,X,from,backup), 

[deleted_file(X,P,0,T,S,B,M)], 

[rG8tored(file,X),filG(X,P,0,T,S,B,M)}). 
addpostcondition(execute(password,cracker),[insecure^password(User)], 

(executed(password,cracker), 
known(insecure,password,for,User1), 

)cnown (insecure, pas sword, f or, User2), 
known (insecure, pas sword, for,User3) , 
known(insecure,password,for,User4)]), 
addpostcondition(change(password,for,User),(changed(password,for,User)]). 
addpo8tcondition(find(file,X,on,backup,tape),(found(file,X,on,backup,tape)]). 
addpostconditiondoad(backup, tape), [loaded(backup, tape) ]) . 
addpostconditiondocate (backup, tape), (located(backup, tape) ]) . 
addpostcondition(store(backup,tape),(stored(backup,tape)]). 


DeletePostCondition Facts */ 


deletepostcondition(change(permissions,file,passwd), 

(behavior(A,'copied password file',Tl,T2)]). 

<ieletepo8tconditioii(change (root,password) , /» 2 behaviors deleted •/ 

(behavior (A,'compromised root password',T1,T2), 
behavior(Al,'conpromi8ed root password',T3,T4)]). 
deletepo8tcondition(remove('Trojan','Horse',from. File), 

(behavior(A,'inserted Trojan Horse',File,Tl,T2)1). 
deletepostcondition( 

conpare(file,File,for,'Troj an','Horse',with,File,on,backup,tape), 
[behavior(A,'possible Trojan Horse',File,Tl,T2)]), 
deletepostcondition(confront(user,A), 

(behavior(A,'possible intruder',T1,T2)]). 

deletepostcondition(investigate(user,password,A), 

[behavior(A,'possible compromised user password',A,Tl,T2)]). 
deletepostcondition(issue(A,new,user,password), 

(behavior(A,'maliciously changed user password',T1,T2)]). 
deletepostcondition(restore(user,password,for,User), 

[behavior(Intruder,'maliciously chzmgod user password',User,T1,T2)]). 
deletepostcondition(examine(user,password,A), 

[behavior(A,'compromised user password',A,T1,T2)]). 

deletepo8tcondition(re8tore(modified,file,pa88wd,from,backup), 
[modified_file(pa88wd,P,0,T,S,B,M),file(pas8wd,P,0,T,Sl,B,Ml), 

behavior(A,'edited password file',Tl,T2)]). 

deletepo8tcondition{restore(modified,file,X,from,backup), 
[modified_file(X,P,0,T,S,B,M),file(X,P,0,T,Sl,B,Ml), 
behavior(A,'maliciously modified file',X,Tl,T2)]). 

deletepostcondition(rGstore(deleted,file,X,from,backup), 

(deleted_file(X,P,0,T,S,B,M), 

behavior(A,'maliciously deleted file',X,Tl,T2)]). 

deletepostcondition(check(permissions,file,X), []). 
deletepostcondition(execute(password,cracker),(]). 
deletepostcondition(change(password,for,User), 

[insecure^password(User)]). 


50 


dGlotGpo8tcondition(find(file,X, on, backup,tape) , []) • 
dGlGtopostcondltion(load(backup,tape), 

[rGmovGd (backup,tapG)]). 

dGlGtGpostconditiondocatG (backup, tape), [storGd(bac3cup, tapo) ]) . 
dGletGpo8tcondition(store(backup,tape), 

[located(backup,tape),loaded(backup,tape)]). 


* 
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TAB 4. IDTS FILES MODULE 


Intrusion-Detection Tutoring System (IDTS) ♦/ 

LT Sandra J. Schiavo, U.S. Navy, Naval Postgraduate School, Monterey CA 93940 */ 

IDTS Files Module ^ , 


This module contains file and insecure_pa8sword facts which store the ♦/ 

initial file system of IDTS's virtual environment. The data structure of a ♦/ 
file facts is as follows: 

, . */ 
rile(<name>,<dir>,<owner>,<type>,<si 26 >,<protection>,<tim 6 >). */ 

* / 

where, <name> is any legal UNIX file name; 

<dir> is name of directory file <name> resides; */ 

<owner> is name of owner of file <name>; *^ 

<type> is the file <name>'s type, either directory,text,or executable; */ 
<size> is the size in bytes of file <namo>; */ 

<protection> are the UNIX permissions for file <name>; and */ 

<time> is the time file <name> was last modified by <owner>, */ 

* / 

The data structure for insecure password is: -k^ 

* / 

insocure_password(<user>), where <U8er> is the name of user in the system. •/ 

^* * *^*^^ ***** ******** *** a. ^ ^ ^ ^ ^ ^ . 




:-dynamic file/7. 


/* Root directories and files. , . 

/***********************.***^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ / 

^root,root,root,directory,100,'drwxr-xr-x ' ,100) 
file(bin,root,root,directory, 100 ,'drwxr-sr-x', 10 ) 
file(users,root,root,directory,100,'drwxr-sr-x * ,10) 
file(su,bin,root,executable, 100 ,'-rrar-xr-x', 10 ). 
file(Is,bin,root,executable, 2000 ,'-rwxr-xr-x', 20 ). 
file(cd,bin,root,executable,5000, ' -rwxr-xr-x',30) 
file(etc,root,root,directory,100,'drwxr-sr-x',10) 

file(pa88wd,etc,root,text, 1000 ,' -rw-r—r--', 40 ), 


i* Other Users and their files in the System. 


file(adam8,u8ers,adams,directory, 100 ,'drrar-xr-x', 100 ), 
file (diradams, adams, adams, directory, 512 , ' drwxr-xr-x •, 1002) . 

file(auxa,diradams,adams,text,1512,'-rw-r—r_', 1000 ). 

file(auxb,diradams,adams,text,1224,'-rw-r--r--',1234). 
file(auxc,diradams,adams,text,5120,'-rw-r_r_',1515). 

file(brown,U8ers,brown,directory,100,'drwxr-xr-x',100). 

file(coleman,users,coleman,directory,100,'drwxr-xr-x',100). 

^(*i*vis,users,davis, directory, 100, 'drwxr-xr-x', 100) 
file(goodn6W8,davi8,davi8,text,1348,'-rw-r--r--',2300). 
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file(doG,users,doe,directory,100,'drwxr-xr-x',100). 
file(bigpaper,doe,doe,text,30000,'-rw-rw-rw-',500). 

file(evens,users,ev 2 ms,directory,100,'drwxr-xr-x',100). 
file(csclass,evens,evens,directory,512,'drwxr-xr-x',2100). 
file{proj_ono,c8cla88,evans,exec,139268,'-rwxr--r—',0808). 

file(fermer,user8,fenner,directory,100,'drwxr-xr-x',100), 
file(secrets,fenner,fenner,text,11348,'-rw-r—r—',1212). 

file (greham,users,gr^lllam,directory, 100, 'drwxr-xr-x',100) . 
file(iinport«mt,graham,graham,text, 10248, '-rw-r—r—',1734) ♦ 

file(jones,user8,jones,directory,100,'drwxr-xr-x',100). 

file(dog,users,dog,directory,100,'drwxr-xr-x',100). 
file(food,dog,dog,text,1024,'-rw-r—r—',2210). 
file (bark,dog,dog,text, 1024, '-rw-r--r—' ,2210) . 
file(wag,dog,dog,text,1024,'-rw-r—r—',2210). 

file(smith,users,smith,directory,100,'drwxr-xr-x',100). 
file(shortpaper,smith,smith,text,5400,'-rw-rw-rw-',500). 

file(tom,user8,tom,directory,100,'drwxrwxrwx',100), 
file(bb,tom,tom,text,512,'-rwxrwxrwx',1002). 
file(aa,tom,tom, text,512,'-rwxrwxrwx',1002). 
file (ba, tom,tom,directory, 512, 'drwxrwxrwx', 1002) . 

file(uri,users,uri,directory,100,'drwxr-xr-x',100). 
file(ba,uri,uri,directory,512,'drwxr-xr-x',1002). 
file(baseball,ba,uri,text,512,'-rw-rw-r—',1002). 


/**»*♦.*****************^*** 

/* Insecure_password facts 

in8ecure_pas8word(adams) . 
insecure password (graham). 
insecure_password(farmer). 
insecure_pa8sword(smith). 


53 





TAB 5. IDTS SAMPLE AUDITFILE MODULE 


****************************±**^ititiiit*it*itit*itiiitititit**ititititit**it*itit***it*’k*itit*it**itmit*itit^ 

Intrusion-Detection Tutoring System Program — Version 1 (IDTS) */ 

LT Sandra J. Schiavo, U.S. Navy, Naval Postgraduate School, Monterey CA 93940 */ 

*****************************'k**^*^ltitititif±*it*it*********iiit**ii*lt***±*itiiit*ititit**ii 

IDTS San^jle Audit File — auditfile 


This module contains sample audit facts that may be used by IDTS, 
The data structure for an audit fact is as follows: 

audit (<u8er>,<time>, <diroctory>,<coinmand>, <ro8ult>) , 


V 

V 

V 

V 

V 

V 

*/ 

where <user> is a user neune on the system, */ 

<time> is an integer and time <command> was executed */ 

<directory> is the <user>'s current directory where <comiiiand> executed */ 
<command> is the UNIX command issued at <time> by <user> *j 

<result> is the result of executing <coinmand>, and can be either, "ok," *! 

"fail," an integer, or a mail message. */ 

^ ********************** 1t**i,1t***1,it****1t1t*1i±*1t*1t ******* Hit** Itititli******** it** HI, * itit * / 


audit(adams,10,none,'login adams ',ok). 
audit(adams,30,none,'login adams',ok). 
audit(adams,20,adams,Is,ok). 

t (adams ,30, adams, ' cd dir adams', ok) . 
audit (adams ,35, diradeuns, Is, ok) . 
audit(adams,40,diradams,'emacs auxa',1014). 
audit (adeuns ,50, diradauns, ' rm avixa', ok) . 
audit(adams,60,diradams,'emacs auxb',1212). 
audit(adams,70,diradams,'rm auxb',ok), 
audit (adatms, 80,diradams, 'emacs auxc' ,1346) . 
audit(adams,90,diradams,'rm auxc',ok). 
audit (adams, 100,diradauns, cd,ok) . 
audit (adams, 110, adams, 'rmdir diradams', ok) . 
audit (adams ,120, adauns, logout, ok) . 
audit(brown,130,none,'login brown',fail). 
audit(brown,132,none,'login brown',fail). 
audit(brown,134,none,'login brown',fail). 
audit(brown,136,none,'login brown',ok). 
audit(brown,138,brown,yppas8wd,ok). 
audit(brown,140,brown,logout,ok). 

^'idit (colemaua, 160,none# 'login coleman',fail) . 
^^^it(coleman,170,none,'login coleman',fail). 
audit(coleman,180,none,'login coleman',fail), 
audit(davis,190,none,'login davis',ok), 
audit(davis,200,davis,'emacs goodnews',2372). 
audit(root,315,none,'login root',fail). 
audit(root,324,none,'login root',ok). 
audit(root,329,root,'cd bin',ok). 
audit(davis,410,davis,logout,ok)♦ 
audit(evans,420,none,'login evans',ok), 
audit(evans,430,evans,Is,ok), 
audit(evans,440,evans,'cd csclass',ok). 
audit(evans,450,csclass,Is,ok). 

audit (evans, 460, csclass, 'emacs proj__one', 140292) . 

audit(root,589,bin,'emacs Is',3024). 

audit(evans,880,csclass,logout,ok). 

audit(smith,859,none,'login smith',ok). 

audit(smith,900,smith,'cd etc',ok). 

audit(smith,901,etc,'cp passwd -smith',ok). 
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audit(smith,902,etc,logout,ok). 

audit(jones,910,none,'login jones',ok). 

audit(jones,910,jones,su,fail). 

audit(jones,911,jones,su,fail) . 

audit(jones,912,jones,su,fail). 

audit(jones,920,jones,su,ok). 

audit(jones,921,root,'cd -fanner',ok). 

audit(jones,922,farmer,Is,ok). 

audit(jones,923,farmer,'rm secrets',ok). 

audit(jones,924,farmer,yppasswd,ok). 

audit(jones,925,farmer,'cd -graham',ok). 

audit(jones,926,graham,Is,ok). 

audit(jones,927,graham,'emacs important',11272). 

audit(brown,1030,none,'login brown',fail). 

audit(brown,1031,none,'login brown',fail). 

audit(brown,1032,none,'login brown',fail). 

audit (brown, 10 3 3, none, 'mail root', bad (pas sword, brown)) . 

audit(root,1119,bin,'emacs cd',4979). 

audit(farmer,1203,none,'login farmer',fail). 

audit(farmer,1204,none,'login farmer',fail). 

audit(farmer,1205,none,'login farmer',fail). 

audit(farmer,1206,none,'login farmor',fail). 

audit (farmer, 1207, farmer, 'siail root', bad (pas sword, farmer)) . 

audit (root, 1211,root,mail,ok) . 

audit(farmer,1220,farmer,'mail root',bad(secrets,farmer))« 

audit(root,1394,root,'cd -dog',ok). 

audit(root,1395,dog,'rm *',ok). 

audit(root,1396,dog,cd,ok). 

audit(root,1400,root,'login root',ok), 

audit(root,1421,root,logout,ok). 

audit (graheun, 1500, none, ' login graham', ok) . 

audit (graham, 1501,graham. Is,ok) . 

audit (graheun, 1502,graham, 'mail root',bad(inportant,gredizun) ) . 

audit(root,1503,root,mail,ok), 

audit(uri,2119,none,'login uri',ok). 

audit(uri,2127,uri,'cd ba',ok). 

audit(uri,2216,ba,'rm *',ok). 

audit(uri,2218,ba,logout,ok). 

audit(tom,2713,none,'login tom',ok). 

audit(tom,2732,tom,'cd ba',ok). 

audit(tom,2749,ba,'cp aa guest/aa',ok). 

audit(tom,2754,ba,logout,ok), 

audit(root,4474,none,'login root',fail), 

audit(root,4475,none,'login root',fail). 

audit(root,4476,none,'login root',fail), 

audit(root,4493,none,'login root',ok), 

audit(root,4499,root,'cd etc',ok). 

audit(root,5087,etc,'emacs passwd',1017). 

audit(root,5088,etc,cd,ok), 

audit(root,5089,root,'cd bin',ok). 

audit(root,5205,bin,'mail root',bad(cd,bin)). 

audit(root,5208,bin,logout,ok). 

audit(tom,6351,none,'login tom',ok). 

audit(tom,6355,tom,'cd ba',ok). 

audit(tom,6421,ba,'emacs ab',12345). 

audit(tom,6428,ba,logout,ok). 

audit(doe,8982,none,'login doe',ok). 

audit(doe,9315,doe,'emacs bigpaper',29947). 

audit(doe,9335,doe,'emacs csproject',1024). 

audit(doe,9352,doe,Is,ok). 

audit(doe,9360,doe,'emacs csproject',4096). 
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audit(doe,9373,doe,'mail root',bad(Is,bin)). 
audit(doe,9375,doe,'mail root',bad(doefile,doe)), 
audit(doe,9379,doe,logout,ok), 
audit(dog,9400,none,'login dog',ok). 
audit(dog,9403,dog,Is,ok). 

audit(dog,9404,dog,'mail root',bad(bark,dog)). 
audit(dog,9405,dog,logout,ok). 
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APPENDIX B: SAMPLE SCRIPT RUNS WITH IDTS 


The following are four script runs of IDTS using four different test audit files. The 
four different script runs are divided into the following appendix tabs: 


Tab 1. Test Auditfile 1 

Tab 2. Test Auditfile 2 

Tab 3. Test Auditfile 3 

Tab 4. Test Auditfile 4 
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TAB 1. TEST AUDITFILE 1 


The following is the audit file used for Run 1: 

audit(adams,10,none,’login adams’,ok). 
audit(adams,30,none,’logm adams’.ok). 
audit(adanis^0,adanis4s,ok). 
audit(adanis,303danis,’cd diradams’.ok). 
audit(adams,35,diradarns,ls,ok). 
audit(adanis,40,diradams,’emacsauxa’,1014). 
audit(adams,50,diradams,’mi auxa’,ok). 
audit(adanis,60,diradams,’emacs auxb’,1212). 
audit(adams,70,diradams,’rm auxb’,ok). 
audit(adams,80,diradams,’eniacs auxc’,1346). 
audit(adams,90,diradams,’rm auxc’.ok). 
audit(adanis, 100,diradams,cd,ok). 
audit(adams,1103danis,’rmdii diradams’.ok). 
audit(adanis, 120,adams,logout,ok). 
audit(brown, 130,none,’login brown ’ ,fail). 
audit(brown,132,none,’login brown’,fail). 
audit(brown, 134,none,’login brown’,fail). 
audit(brown,136,none,’login brown’,ok). 
audit(brown, 138,brown,yppasswd,ok). 
audit(brown,140,brown,logout,ok). 
audit(colenian, 1 none,’ login coleman ’ ,fail). 

audit(coleman,170,none,’login coleman’,fail). 
audit(colenian,180,none,’login colenian’,fail). 
audit(davis,19{),none,’login davis’,ok). 
audit(davis,200,davis,’emacs goodnews’,2372). 
audit(root,315,none,’loginroot’,fail). 
audit(root,324,none,’login root’,ok). 
audit(root,329,root,’cd bin’,ok). 
audit(davis,410,davis,logout,ok). 
audit(evans,420,none,’login evans’,ok). 
audit(evans,430,evans,ls,ok). 
audit(evans,440,evans,’cd csclass’,ok). 
audit(evans,450,csclass,ls,ok). 
audit(e vans,460,csclass,’emacs proj_one’,140292). 
audit(root,589,bin,’eniacs ls’,3024). 
audit(ev^s,880,csclass,logout,ok). 
audit(smith,859,none,’login smith’.ok). 
audit(smith,900,sn[iith,’cdetc’,ok). 
audit(smith,901,etc,’cp passwd -smith’,ok). 
audit(smith,902,etc,logout,ok). 
audit(jones,910,none,’login jones’,ok). 
auditQones,910jones,su,fail). 
audit(jones,911 jones,su,fail). 
auditQones,912jones,sudail). 
audit(jones,920jones,su,ok). 
audit(jones,921joot,’cd ~farmer’,ok). 
audit(jones,922,farmer,ls,ok). 
auditQones,923,farmer,’mi secrets’,ok). 
audit(jones,924,farmer,yppasswd,ok). 
audu(jones,9254amier,’cd-graham’,ok). 
audit(jones,926,graham,ls,ok). 
audit0ones,927,graham,’emacs important’,11272). 
audit(brown,1030,none,’login brown’,fail). 
audit(bro wn, 1031 ,none,’login brown ’ iail). 
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audit(brown,1032,none,’login brown’,fail). 
audit(brown,1033,none,’mail root’,bad(password,brown)). 
audit(root, 1119,bin,’emacs cd’ ,4979). 
audit(fanner,1203,none,’login f^armer’dail). 
audit(fanner,1204,none,’login famier’d^ail). 
audit(fanner,1205,none,’login farmer’/ail). 
audit(farmer,1206,none,’login farmer’d'ail). 
audit(farmer,1207,farmer,’mailroot’,bad(passworddarmer)). 
audit(root,1211 joot,mail,ok). 

audit(fanner,1220,farmer,’mailroot’,bad(secrets .farmer)). 
audit(root,13944-oot,’cd ~dog’,ok). 
audit(root,1395,dog,’rm *’,ok). 
audit(root, 1396,dog,cd,ok). 
audit(root,14004’oot,’loginroot’,ok). 
audit(root,142140ot4ogout,ok). 
audit(graham,1500,none,’login graham’.ok). 
audit(graham, 1501 ,graham,is,ok). 

audit(graham,1502,graham,’mailroot’,bad(important,graham)). 

audit(root,1503joot,mail,ok). 

audit(uri,2119,none,’login uri’,ok). 

audit(uri,2127,uri,’cd ba’.ok). 

audit(uri,2216,ba,’rm *’,ok). 

audit(iiri,2218,ba4ogout,ok). 

audit(tom,27134ione,’login tom’.ok). 

audit(tom,2732,tom,’cd ba’.ok). 

audit(tom,2749,ba,’cp aa guesi^aa’.ok). 

audit(tom,2754,ba4ogout,ok). 

audit(root,44744ione,’loginroot’4ail). 

audit(root,4475,none,’login root’,fail). 

audit(root,4476,none, ’ login root’ /ail). 

audit(root,4493,none, ’login root’,ok). 

audit(root,44994‘oot,’cd etc’.ok). 

audit(root,5087,etc,’emacs passwd’,1017). 

audit(root,5088,etc,cd,ok). 

audit(root,5089/oot,’cd bin’.ok). 

audit(root,5205,bin,’mail root’,bad(cd,bin)). 

audit(root,5208,bin4ogout,ok). 

audit(tom,6351 .none, ’login tom ’ ,ok). 

audit(tom,6355,tom,’cd ba’.ok). 

audit(tom,6421,ba,’emacsab’,12345). 

audit(tom,6428,ba4ogout,ok). 

audit(doe,8982,none,’login doe’.ok). 

audit(doe,9315,doe,’emacs bigpaper’.29947). 

audit(doe,9335,doe,’emacs csproject’,1024). 

audit(doe,9352,doe4s,ok). 

audit(doe,9360,doe,’emacs csproject’,4096). 

audit(doe,9373,doe,’mailroot’,bad(ls,bin)). 

audi t(doe,9375,doe,’mail root ’ ,bad(doefile,doe)). 

audit(doe,9379,doe,logout,ok). 

audit(dog,9400,none,’login dog’.ok). 

audit(dog,9403,dog,ls,ok). 

audit(dog,9404,dog,’mail root’ ,bad(bark,dog)). 

audit(dog,9405,dog,logout,ok). 
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The following is the script of Run 1: 


Script started on Thu Mar 16 00:16:45 1995 
«alias: No such file or directory. 

[7inai2 : /users/work4/schiavo/Thesis/Tutor>> [mprolog 


Quintus Prolog Release 3.1.1 (Sun-4, SunOS 4.0) 

Copyright (C) 1990, Quintus Corporation. All rights reserved. 

2100 Geng Road, Palo Alto, California U.S.A. (415) 813-3800 

I ?- [intruder]. 

% compiling file /tnrp^mnt/users/work4/schiavo/Thesi8/Tutor/intruder.pi 
% compiling file /tnp^mnt/users/work4/schlavo/Thesis/Tutor/metutorSO.pi 
% Undefined procedures will just fail ('fail' option) 

% loading file /usr/local/q3.1.1/generic/qplib3.1.1/library/random.qof 
% foreign file /usr/local/q3.1.1/generic/qplib3.1.1/library/8un4-4/libpl.so loaded 
% random.qof loaded, 0.134 sec 9,392 bytes 
% module random imported into user 

* Clauses for writefact/2 are not together in the source file 

% metutor30.pl compiled in modulo user, 3.367 sec 50,420 bytes 
% conpiling file /tmp_mnt/users/work4/schiavo/Thesis/Tutor/auditfile 
% auditfile conpiled in module user, 0.417 sec 8,744 bytes 
% compiling file /tmp_mnt/users/work4/schiavo/Thesis/Tutor/filetree 
% filetree coirpiled in module user, 0.467 sec 5,240 bytes 
% compiling file /tmp_mnt/users/work4/8chiavo/Thesis/Tutor/rules 

* Clauses for behavior/5 are not together in the source file 

* Clauses for behavior/4 are not together in the source file 

% rules conpilod in module user, 0.666 sec 7,416 bytes 

% compiling file /tnp_mnt/users/work4/schiavo/The8is/Tutor/files 
% files compiled in module user, 0.117 sec 4,276 bytes 
% compiling file /tmp^mnt/users/work4/schiavo/Thesi8/Tutor/operators 

* Clauses for recommended/3 are not together in the source file 

* Clauses for recommended/2 are not together in the source file 

* Clauses for addpostcondition/2 are not together in the source file 
% operators compiled in module user, 0.583 sec 8,268 bytes 

% intruder.pl compiled in module user, 6.383 sec 95,212 bytes 

yes 

I 7- statistics. 


memory (total) 

649696 bytes: 

458764 in use. 

190932 

free 

progr 2 un space 

327700 bytes 




global space 

65532 bytes: 

26688 in use. 

38844 

free 

global stack 


24584 bytes 



trail 


16 bytes 



system 


2088 bytes 



local stack 

65532 bytes: 

440 in use. 

65092 

free 

local stack 


416 bytes 



system 


24 bytes 



0.000 sec. for 0 global zmd 3 local 

space shifts 



0.000 sec, for 0 garbage collections 

which collected 0 bytes 


5.933 sec. runtime 






yes 

I 7- start. 
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AUDIT FILE 


The following displays the current contents of the audit file: • 

* 




Neone 

Time 

Path 

Command 

Result 

adanLS 

10 

none 

login ad^^n8 

ok 

adams 

20 

adauns 

Is 

ok 

adams 

30 

adeuns 

cd diradams 

ok 

adaxns 

30 

none 

login adams 

ok 

adams 

35 

diradams 

Is 

ok 

adams 

40 

diradams 

emacs auxa 

1014 

adeuQS 

50 

diradams 

rm auxa 

ok 

adams 

60 

diradams 

emacs auxb 

1212 

adams 

70 

diradeans 

rm a\ixb 

ok 

adams 

80 

diradams 

emacs auxc 

1346 

adams 

90 

diradams 

xm auxc 

ok 

adams 

100 

diradams 

cd 

ok 

adams 

110 

adams 

rmdir diradams 

ok 

adams 

120 

adeuns 

logout 

ok 

brown 

130 

none 

login brown 

fail 

brown 

132 

none 

login brown 

fail 

brown 

134 

none 

login brown 

fail 

brown 

136 

none 

login brown 

ok 

brown 

138 

brown 

yppasswd 

ok 

brown 

140 

brown 

logout 

ok 

brown 

1030 

none 

login brown 

fail 

brown 

1031 

none 

login brown 

fail 

brown 

1032 

none 

login brown 

fail 

brown 

1033 

none 

mail root 

bad(password,brown) 

coleman 

160 

none 

login coleman 

fail 

coleman 

170 

none 

login colem^m 

fail 

coleman 

180 

none 

login colemcin 

fail 

davis 

190 

none 

login davis 

ok 

davis 

200 

davis 

emacs goodnews 

2372 

davis 

410 

davis 

logout 

ok 

doe 

8962 

none 

login doe 

ok 

doe 

9315 

doe 

emacs bigpaper 

29947 

doe 

9335 

doe 

emacs csproject 

1024 

doe 

9352 

doe 

Is 

ok 

doe 

9360 

doe 

emacs csproject 

4096 

doe 

9373 

doe 

mail root 

bad(Is,bin) 

doe 

9375 

doe 

mail root 

bad(doefile,doe) 

doe 

9379 

doe 

logout 

ok 

dog 

9400 

none 

login dog 

ok 

dog 

9403 

dog 

Is 

ok 

dog 

9404 

dog 

mail root 

bad(bark,dog) 

dog 

9405 

dog 

logout 

ok 

evans 

420 

none 

login evans 

ok 

evens 

430 

evans 

Is 

ok 

evans 

440 

evans 

cd csclass 

ok 

evans 

450 

csclass 

Is 

ok 

evans 

460 

csclass 

emacs proj_one 

140292 

evans 

880 

csclass 

logout 

ok 

farmer 

1203 

none 

login farmer 

fail 

farmer 

1204 

none 

login farmer 

fail 
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farmer 

1205 

none 

login farmer 

fail 

farmer 

1206 

none 

login farmer 

fail 

farmer 

1207 

farmer 

mail root 

bad (password, farmer) 

farmer 

1220 

farmer 

mail root 

bad(secrets,farmer) 

graham 

1500 

none 

login graham 

ok 

grah2aa 

1501 

graham 

Is 

ok 

graham 

1502 

grah.am 

mail root 

bad(important,graham) 

jones 

910 

jones 

su 

fail 

jonee 

910 

none 

login jones 

ok 

jones 

911 

jones 

su 

fail 

jones 

912 

jones 

su 

fail 

jones 

920 

jones 

su 

ok 

jones 

921 

root 

cd -farmer 

ok 

jones 

922 

farmer 

Is 

ok 

jones 

923 

farmer 

rm secrets 

ok 

jones 

924 

farmer 

yppasswd 

ok 

jones 

925 

farmer 

cd -graham 

ok 

jones 

926 

graham 

Is 

ok 

jones 

927 

graham 

emacs important 

11272 

root 

315 

none 

login root 

fail 

root 

324 

none 

login root 

ok 

root 

329 

root 

cd bin 

ok 

root 

589 

bin 

emacs Is 

3024 

root 

1119 

bin 

emacs cd 

4979 

root 

1211 

root 

mail 

ok 

root 

1394 

root 

cd -dog 

ok 

root 

1395 

dog 

rm * 

ok 

root 

1396 

dog 

cd 

ok 

root 

1400 

root 

login root 

ok 

root 

1421 

root 

logout 

ok 

root 

1503 

root 

mail 

ok 

root 

4474 

none 

login root 

fail 

root 

4475 

none 

login root 

fail 

root 

4476 

none 

login root 

fail 

root 

4493 

none 

login root 

ok 

root 

4499 

root 

cd etc 

ok 

root 

5087 

etc 

emacs passwd 

1017 

root 

5088 

etc 

cd 

ok 

root 

5089 

root 

cd bin 

ok 

root 

5205 

bin 

mail root 

bad(cd,bin) 

root 

5208 

bin 

logout 

ok 

smith 

859 

none 

login smith 

ok 

smith 

900 

smith 

cd etc 

ok 

smith 

901 

etc 

cp passwd -smith 

ok 

smith 

902 

etc 

logout 

ok 

tom 

2713 

none 

login tom 

ok 

tom 

2732 

tom 

cd ba 

ok 

tom 

2749 

ba 

cp aa guest/aa 

ok 

tom 

2754 

ba 

logout 

ok 

tom 

6351 

none 

login tom 

ok 

tom 

6355 

tom 

cd ba 

ok 

tom 

6421 

ba 

emacs ab 

12345 

tom 

6428 

ba 

logout 

ok 

uri 

2119 

none 

login uri 

ok 

uri 

2127 

uri 

cd ba 

ok 

uri 

2216 

ba 

rm * 

ok 

uri 

2218 

ba 

logout 

ok 
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MAIL RECEIVED 


The following displays mail received by root: 


From To Time Problem (File, Directory) 

brown root 1033 bad(password,brown) 

doe root 9373 bad(Is,bin) 

doe root 9375 bad(doefile,doe) 

dog root 9404 bad(bark,dog) 

farmer root 1207 bad(password,farmer) 

farmer root 1220 bad(secrets,farmer) 

gr 2 diam root 1502 bad(iir 5 )ortant,greLham) 

root root 5205 bad (cd, bin) 

% Undefined procedures will just fail ('fail' option) 
Warnings: 

This fact is not removable: changed(password,root) 

This fact is not rerooveJ^le: confronted(user,_14117) 

This fact is not removable: examined(password,_14051) 

This fact is not removable: executed(password,cracker) 

This fact is not removedale: investigated(password,_14030) 
This fact is not relnov^d)le: changed (password, for, _13 98 8) 

This fact is not removable: changed(permissions,file,_14160) 
This fact is not removable: restored(password,for,_14096) 
This fact is not removedjle: issued(now,password,to,_14074) 

Your objectives: 

bac)cup tape is stored emd password cracker is executed. 

Wait a moment while I analy 2 e the problem thoroughly. 


* To see a list of possible actions, type the letter "h" or the word 

* "help." To review the audit file or your mail at anytime, typo the 

* word "auditfile" or "mail" respectively. 

« 

Type h for help. 

************ These facts are now true: ************* 

bac)cup tape is stored, 

mail(brown,root,1033,bad(password,brown)) is true, 
mail(doe,root,9373,bad(Is,bin)) is true, 
mail(doe,root,9375,bad(doefile,doe)) is true, 
mail(dog,root,9404,bad(bark,dog)) is true, 
mail(farmer,root,1207,bad(password,farmer)) is true, 
mail{farmer,root,1220,bad(secret8,farmer)) is true, 
mail(graham,root,1502,bad(important,graham)) is true, 
and mail(root,root,5205,bad(cd,bin)) is true. 

Select an action: execute password cracker 
You chose to execute password cracker. 

I am thinking.... 

OK, but a hint: "restore modified file passwd from bac}cup" 
is more important now than "execute password cracker". 

************ These facts are now true: ************* 
password cracker is executed. 
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backup tape is stored, 

knovm (insecure, pa SB word, for, adeuas) is true, 
known(in8ecure,pa8sword, for, smith) is true, 

root, 1033,bad (password,brown) ) is true, 
mail (doe,root,9373,badds,bin) ) is true, 

®^il(doe,root,9375,bad(doefile,doe)) is true, 
mail(dog,root,9404,bad(bark,dog)) is true, 
mail(farmer,root,1207,bad(password,farmer)) is true, 
mail(farmer,root,1220,bad(secrets,farmer)) is true, 
mail(graham,root,1502,bad(important,graham)) is true, 
and maiKroot,root,5205,bad(cd,bin)) is true. 

Select an action: restore modified file passwd from backup 
You chose to restore modified file passwd from backup. 

>>>>Operator restore(modified,file,passwd,from,bac)cup) could not be applied to: 
password cracker is executed, 
bac)cup tape is stored, 

known (insecure, pa ssword,f or, adams) is true, 

known(insecure,pa88word,for,smith) is true, 

mail(brown,root,1033,bad(password,brown)) is tzue, 

maiKdoe,root,9373,badds,bin) ) is true, 

mail(doe,root,9375,bad(doefile,doe)) is true, 

mail(dog,root,9404,bad(bark,dog)) is true, 

mail(farmer,root,1207,bad(password,farmer)) is true, 

mail(farmer,root,1220,bad(secrets,farmer)) is true, 

mail(graham,root,1502,bad(import^mt,graham)) is true, 

and mail(root,root,5205,bad(cd,bin)) is true 

>»>Operator restore (modified, file, passwd, from, baclcup) could not be applied to: 
password cracker is executed, 
backup tape is stored, 

known (insecure, password, for, adeons) is true, 
known(insecure,password,for,smith) is true, 
mail(brown,root,1033,bad(password,brown)) is true, 
mail(doe,root,9373,badds,bin) ) is true, 
mail(doe,root,9375,bad(doefile,doe)) is true, 

(^og,root,9404,bad(bark,dog)) is true, 
mail(farmer,root,1207,bad(password,farmer)) is true, 
mail(farmer,root,1220,bad(secrets,farmer)) is true, 
mail(graham,root,1502,bad(important,graham)) is true, 
and mail(root,root,5205,bad(cd,bin)) is true 
That action requires that: 
found(file,passwd,on,backup,tape) is true. 

************ facts are now true: ************* 

password cracker is executed, 
backup tape is stored, 

known(insecure,password,for,_323991) is true, 
known(insecure,password,for,_323998) is true, 

)cnown (ins e cure, pas sword, for, _324005) is true, 
niail (brown, root, 1033,bad (password,brown) ) is true, 
mail(doe,root,9373,badds,bin) ) is true, 
mail(doe,root,9375,bad(doefile,doe)) is true, 
mail(dog,root,9404,bad(bark,dog)) is true, 
maiKfarmer,root,1207,bad(pa8sword,farmer) ) is true, 
mail(farmer,root,1220,bad(secrets,farmer)) is true, 
mail(graham,root,1502,bad(important,graham)) is true, 
and mail(root,root,5205,bad(cd,bin)) is true. 

Select an action: find file passwd on bac)cup tape 
You chose to find file passwd on bacJcup tape. 

>>>>0perator find(file,passwd,on,backup,tape) could not be applied to: 
password cracker is executed, 
bac)aip tape is stored, 

known(insecure,password,for,adams) is true. 
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known(insecure,password,for,smith) is true, 

mail(brown,root,1033,bad(password,brown)) is true, 

mail(doe,root,9373,bad(Is,bin)) is true, 

mail(doe,root,9375,bad(doe£ile,doe)) is true, 

mail(dog,root,9404,bad(bark,dog)) is true, 

mail(farmer,root,1207,bad(password,farmer)) is true, 

mail(farmer,root,1220,bad(secrets,farmer)) is true, 

mail(gr^Qlam,root, 1502,bad(importemt,graham)) is true, 

em.d mail (root,root, 5205,bad(cd,bin)) is true 

>»>0perator find(file,passwd,on,backup,tape) could not be applied to: 
password cracker is executed, 
backup tape is stored, 

known (insecure, pas sword, for, adetms) is true, 

known(insecure,password,for,smith) is true, 

mail(brown,root,1033,bad(password,brown)) is true, 

mail(doe,root,9373,bad(ls,bin)) is true, 

mail(doe,root,9375,bad(doefile,doe)) is true, 

mail(dog,root,9404,bad(bark,dog)) is true, 

mail(farmer,root,1207,bad(password,farmer)) is true, 

mail(farmer,root,1220,bad(secrets,farmer)) is true, 

mail (graham, root, 1502, bad (is^ortant, grediam)) is true, 

and maiKroot,root,5205,bad(cd,bin)) is true 

Eave you confused "backup tape is loaded" with "backup tape is stored"? 
That action requires that: 
backup tape must be loaded. 

************ These facts are now true: ************* 
password cracker is executed, 
backup tape is stored, 

known(insecure,password,for,adams) is true, 

known(insecure,password,for,smith) is true, 

mail(brown,root,1033,bad(password,brown)) is true, 

mail(doe,root,9373,bad(Is,bin)) is true, 

mail(doe,root,9375,bad(doefilo,doe)) is true, 

mail(dog,root,9404,bad(bark,dog)) is true, 

mail(farmer,root,1207,bad(password,farmor)) is true, 

mail(farmer,root,1220,bad(secret8,farmer)) is true, 

mail (grah 2 un,root, 1502,bad(iii5>ortant,graham)) is true, 

and mail(root,root,5205,bad(cd,bin)) is true. 

Select em action: load bac}cup tape 
You chose to load backup tape. 

>>>>Operator load(backup,tape) could not be applied to: 
password cracker is executed, 
backup tape is stored, 

)tnown(insecure,pas8word, for,adams) is true, 

)cnown(insecure,password, for, smith) is true, 

mail (brown, root, 1033, bad (password, brown) ) is true, 

mail(doe,root,9373,bad(la,bin)) is true, 

mail(doe,root,9375,bad(doefile,doe)) is true, 

mail(dog,root,9404,bad(bark,dog)) is true, 

mail(farmer,root,1207,bad(password,farmer)) is true, 

mail(farmer,root,1220,bad(secrets,farmer)) is true, 

mail (grediam, root, 1502,bad (important, graham) ) is true, 

and maiKroot,root, 5205,bad(cd,bin)) is true 

>>>>Operator load(backup,tape) could not be applied to: 

password cracker is executed, 

bac]cup tape is stored, 

known(insecure,password,for,adams) is true, 

known(insecure,password,for,smith) is true, 

mai1(brown,root,1033,bad(password,brown)) is true, 

mail(doe,root,9373,bad(Is,bin)) is true, 

mail(doe,root,9375,bad(doefile,doe)) is true. 
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mail(dog,root,9404,bad(bark,dog)) is true, 
mail(farmer,root,1207,bad(password,farmer)) is true, 
mail(farmer,root,1220,bad(secrets,farmer)) is true, 
mail(graham,root,1502,bad(important,graham)) is true, 
and mail(root,root,5205,bad(cd,bin)) is true 

Have you confused "backup tape is located" with "backup tape is stored"? 

you confused that with the locate backup tape action? 

That action requires that: 
backup tape must be located. 

************ These facts are now true: ************* 
password cracker is executed, 
backup tape is stored, 

known (insecure, pas sword, for, adeuns) is true, 

known(insecure,password,for,smith) is true, 

mail(brown,root,1033,bad(password,brown)) is true, 

mail(doe,root,9373,bad(ls,bin)) is true, 

mail(doe,root,9375,bad(doefile,doe)) is true, 

mail(dog,root,9404,bad(bark,dog)) is true, 

mail(farmer,root,1207,bad(password,farmer)) is true, 

mail(farmer,root,1220,bad(secrets,farmer)) is true, 

maiKgraham,root, 1502,bad(iii5)ortant,graham)) is true, 

and mail(root,root,5205,bad(cd,bin)) is true. 

Select zm action: locate backup tape 
You chose to locate baclcup tape. 

OK. 

************ These facts are now true: ************* 
password cracker is executed, 
backup tape is located, 

known(insecure,password,for,adams) is true, 

known(insecure,password,for,smith) is true, 

mail(brown,root,1033,bad(password,brown)) is true, 

mail(doe,root,9373,bad(Is,bin)) is true, 

mail(doe,root,9375,bad(doefile,doe)) is true, 

mail(dog,root,9404,bad(bark,dog)) is true, 

mail(farmer,root,1207,bad(password,farmer)) is true, 

mail(farmer,root,1220,bad(secret8,farmer)) is true, 

mail (graham,root, 1502,bad(importzmt,grediam) ) is true, 

and mail{root,root,5205,bad(cd,bin)) is true. 

Select an action: load backup tape 
You chose to load backup tape. 

OK. 

************ These facts are now true: ************* 
password cracker is executed, 
backup tape is loaded, 
backup tape is located, 

)cnown( insecure, pas sword, for, adams) is true, 

known(insecure,password,for,smith) is true, 

mail(brown,root,1033,bad(password,brown)) is true, 

maiKdoe,root,9373,badds,bin) ) is true, 

mail(doe,root,9375,bad(doefile,doe)) is true, 

mail(dog,root,9404,bad(bark,dog)) is true, 

mail(farmer,root,1207,bad(password,farmer)) is true, 

mail(farmer,root,1220,bad(secret8,farmer)) is true, 

mail(graham,root,1502,bad(important,graheon)) is true, 

and mail(root,root,5205,bad(cd,bin)) is true. 

Select em action: find file passwd on backup tape 
You chose to find file passwd on baclcup tape. 

OK. 

************ These facts are now true: ************* 
password cracker is executed, 
backup tape is loaded. 
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backup tape is located, 

known(insecure,password,for,adams) is true, 

known(insecure,password,for,smith) is true, 

mail(brown,root,1033,bad(password,brown)) is true, 

mail(doe,root,9373,bad(Is,bin)) is true, 

mail(doe,root,9375,bad(doefilo,doe)) is true, 

mail(dog,root,9404,bad(bark,dog)) is true, 

mail(farmer,root,1207,bad(password,farmer)) is true, 

mail(farmer,root,1220,bad(secret8,faimer)) is true, 

mail(grediam,root, 1502,bad(important,gr 2 diam)) is true, 

mail(root,root,5205,bad(cd,bin)) is true, 

and found(file,pas8wd,on,bac]cup,tape) is true. 

Select an action: restore modified file passwd from backup 
You chose to restore modified file passwd from bac)cup. 

OK. 

************ These facts are now true: ************* 

password cracker is executed, 

backup tape is loaded, 

bac)cup tape is located, 

file passwd is restored, 

)cnown( insecure, pas sword, for, adams) is true, 

known(insecure,password,for,smith) is true, 

mail(brown,root,1033,bad(password,brown)) is true, 

mail(doe,root,9373,bad(ls,bin)) is true, 

mail(doe,root,9375,bad(doefile,doe)) is true, 

mail(dog,root,9404,bad(bark,dog)) is true, 

mail(farmer,root,1207,bad(pas8word,farmer)) is true, 

mail(farmer,root,1220,bad(secrets,farmer)) is true, 

mail (graham, root ,1502, bad (important, graheun)) is true, 

mail(root,root,5205,bad(cd,bin)) is true, 

and found(file,passwd,on,backup,tape) is true. 

Select an action: change password for adams 
You chose to change password for adams. 

I am thinking.... 

OK, but a hint: "change permissions file passwd" 
is more important now than "change password for adams". 

************ These facts are now true: ************* 

password cracker is executed, 

bac}cup tape is loaded, 

backup tape is located, 

file passwd is restored, 

changed(password,for,adams) is true, 

)cnown (insecure, pas sword, for, adams) is true, 

)uiown(insecure,password,for,smith) is true, 

mail(brown,root,1033,bad(password,brown)) is true, 

mail(doe,root,9373,bad(ls,bin)) is true, 

mail(doe,root,9375,bad(doefile,doe)) is true, 

mail(dog,root,9404,bad(bark,dog)) is true, 

mail(farmer,root,1207,bad(password,farmer)) is true, 

mail(farmer,root,1220,bad(secrets,farmer)) is true, 

mail (graham, root, 1502, bad (import ant, grahiun)) is true, 

mail(root,root,5205,bad(cd,bin)) is true, 

and found(file,passwd,on,baclcup,tape) is true. 

Select an. action: change permissions file passwd 
I am thinking.... 

You chose to chemge permissions file passwd. 

>>>>0perator change(permissions,file,passwd) could not be applied to 

password cracker is executed, 

backup tape is loaded, 

bac)cup tape is located, 

file passwd is restored. 
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changed(password,for,adams) is true, 

known(insecure,password,for,adams) is true, 

known(insecure,pas8word,for,smith) is true, 

mail(brown,root,1033,bad(password,brown)) is true, 

maiKdoe,root,9373,badds,bin) ) is true, 

mail(doe,root,9375,bad(doefile,doe)) is true, 

mail(dog,root,9404,bad(bark,dog)) is true, 

mail(farmer,root,1207,bad(password,farmer)) is true, 

mail(farmer,root,1220,bad(secret8,farmer)) is true, 

mail (graham, root, 1502, bad (import ant, graham)) is true, 

mail(root,root,5205,bad(cd,bin)) is true, 

and found(file,pa8swd,on,backup,tape) is true 

>>»0perator change(permissions,file,passwd) could not be applied to: 

password cracker is executed, 

backup tape is loaded, 

backup tape is located, 

file passwd is restored, 

changed (password, for, ad 2 aiis) is true, 

known{in8ecure,pa8sword,for,adams) is true, 

known(insecure,password,for,smith) is true, 

mail(brown,root,1033,bad(password,brown)) is true, 

maiKdoe,root,9373,badds,bin) ) is true, 

mail(doe,root,9375,bad(doefile,doe)) is true, 

mail(dog,root,9404,bad(bark,dog)) is true, 

niail(farmer,root, 12 07, bad (pas sword, farmer) ) is true, 

maiKfarmer,root,1220,bad(secrets,farmer) ) is true, 

mail(graham,root,1502,bad(important,graham)) is true, 

mail(root,root,5205,bad(cd,bin)) is true, 

and found(file,passwd,on,backup,tape) is true 

Have you confused that with the check permissions file passwd action? 

That action requires that: 

checked(permissions,file,passwd) is true. 

************ These facts are now true: ************* 

password cracker is executed, 

backup tape is loaded, 

backup tape is located, 

file passwd is restored, 

changed(password,for,adams) is true, 

known (insecure, pas sword, for, adeims) is true, 

known(insecure,pas8word,for,smith) is true, 

mail(brown,root,1033,bad(password,brown)) is true, 

maiKdoe,root,9373,badds,bin) ) is true, 

maiKdoe,root,9375,bad(doefile,doe) ) is true, 

mail(dog,root,9404,bad(bark,dog)) is true, 

maiKfarmer,root,1207,bad(pa8sword,farmer) ) is true, 

maiKfarmer,root,1220,bad(secret8,farmer)) is true, 

maiKgraham,root,1502,bad(important,graham)) is true, 

maiKroot,root, 5205,bad(cd,bin)) is true, 

and found(file,passwd,on,baclcup,tape) is true. 

Select em action: check permissions file passwd 
You chose to check permissions file passwd. 

OK. 

************ These facts are now true: ************* 

password cracker is executed, 

bac)cup tape is loaded, 

backup tape is located, 

file passwd is restored, 

chemged(password,for,adams) is true, 

checked(permissions,file,passwd) is true, 

known (insecure, pas sword, for, adzuns) is true, 

)cnown(insecure,password, for, smith) is true. 
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mail(brown,root,1033,bad(password,brown)) is true, 

mail(doe,root,9373,bad(ls,bin)) is true, 

mail(doe,root,9375,bad(doefile,doe)) is true, 

mail(dog,root,9404,bad(bark,dog)) is true, 

mail(farmer,root,1207,bad(password,farmer)) is true, 

mail(farmer,root,1220,bad(secrets,farmer)) is true, 

mail (graham,root, 1502,bad(import«uit,grabam)) is true, 

mail(root,root,5205,bad(cd,bin)) is true, 

and found(file,passwd,on,backup,tape) is true. 

Select an action: change permissions file passwd 
You chose to change permissions file passwd. 

OK. 

************ Tjiege facts are now true: ************* 

password cracker is executed, 

backup tape is loaded, 

backup tape is located, 

file passwd is restored, 

changed(password,for,adams) is true, 

changed(permissions,file,passwd) is true, 

checked(permissions,file,passwd) is true, 

known(insecure,password,for,adams) is true, 

known(insecure,password,for,smith) is true, 

mail(brown,root,1033,bad(password,brown)) is true, 

mail(doe,root,9373,bad(Is,bin)) is true, 

mail(doe,root,9375,bad(doefile,doe)) is true, 

mail(dog,root,9404,bad(bark,dog)) is true, 

mail(farmer,root,1207,bad(password,farmer)) is true, 

mail(farmer,root,1220,bad(secrets,farmer)) is true, 

mail(graham,root,1502,bad(important,grahaua)) is true, 

mail(root,root,5205,bad(cd,bin)) is true, 

and found(file,passwd,on,backup,tape) is true. 

Select an action: change password for smith 
You chose to change password for smith. 

I am thinking.... 

OK, but a hint: ^change root password'' 
is more important now than "change password for smith". 
************ These facts are now true: *******^***** 
password cracker is executed, 
backup tape is loaded, 
backup tape is located, 
file passwd is restored, 
changed(password,for,adams) is true, 
cheinged(password, for, smith) is true, 
changed(permissions,file,passwd) is true, 
checked(permissions,file,passwd) is true, 
known(insecure,password,for,adams) is true, 
known(in8ecure,pa8sword,for,smith) is true, 
mail(brown,root,1033,bad(password,brown)) is true, 
maiKdoe,root, 9373,badds,bin) ) is true, 
mail(doe,root,9375,bad(doefile,doe)) is true, 
mail(dog,root,9404,bad(bark,dog)) is true, 
mail(farmer,root,1207,bad(password,farmer)) is true, 
mail(farmer,root,1220,bad(secreta,farmer)) is true, 
mail(gra h a m ,root,1502,bad(inportant,graham)) is true, 
mail(root,root,5205,bad(cd,bin)) is true, 
and found(file,pa88wd,on,bac]cup,tape) is true. 

Select an action: change root password 
You chose to chsinge root password. 

OK. 

************ These facts are now true: ************* 
password root is changed. 
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password cracker is executed, 

backup tape is loaded, 

backup tape is located, 

file passwd is restored, 

changed(password,for,adams) is true, 

changed(password,for,smith) is true, 

changed(permissions,file,passwd) is true, 

checked(permissions,file,passwd) is true, 

known(insecure,pa88word,for,adams) is true, 

known(in8ecure,password,for,smith) is true, 

mail(brown,root,1033,bad(password,brown)) is true, 

maiKdoe,root,9373,bad(ls,bin) ) is true, 

mail(doe,root,9375,bad(doefile,doe)) is true, 

maiKdog,root,9404,bad(bark,dog)) is true, 

(fArmor,root,1207/bad(password,farmer)) is true, 
mail(farmer,root,1220,bad(secrets,farmer)) is true, 
mail(graham,root,1502,bad(important,graham)) is true, 
maiKroot,root,5205,bad(cd,bin)) is true, 
and found(file,passwd,on,backup,tape) is true. 

Select an action: auditfile 








AUDIT FILE 

The following displays the current contents of the audit file: 








Name 

Time 

Path 

Command 

Result 

adcuns 

10 

none 

login adams 

ok 

adams 

20 

adams 

Is 

ok 

adams 

30 

adams 

cd diradams 

ok 

adams 

30 

none 

login adams 

ok 

adams 

35 

diradeuns 

Is 

ok 

adams 

40 

diradams 

emacs auxa 

1014 

adams 

50 

diradams 

rm auxa 

ok 

adams 

60 

diradams 

emacs auxb 

1212 

adams 

70 

dirad^aas 

rm auxb 

ok 

adams 

60 

diradams 

emacs auxc 

1346 

adams 

90 

diradeuas 

rm auxc 

ok 

ad2mis 

100 

diradams 

cd 

ok 

adams 

110 

adeotis 

rmdir diradeuos 

ok 

adams 

120 

adams 

logout 

ok 

brown 

130 

none 

login brown 

fail 

brown 

132 

none 

login brown 

fail 

brown 

134 

none 

login brown 

fail 

brown 

136 

none 

login brown 

ok 

brown 

138 

brown 

yppasswd 

ok 

brown 

140 

brown 

logout 

ok 

brown 

1030 

none 

login brown 

fail 

brown 

1031 

none 

login brown 

fail 

brown 

1032 

none 

login brown 

fail 

brown 

1033 

none 

mail root 

bad(password,brown) 

coleman 

160 

none 

login coleman 

fail 

Coleman 

170 

none 

login coleman 

fail 

coleman 

180 

none 

login coleman 

fail 

da vis 

190 

none 

login davis 

ok 

davis 

200 

davis 

emacs goodnews 

2372 
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davis 

410 

davis 

logout 

ole 

doe 

8982 

none 

login doe 

ok 

doe 

9315 

doe 

emacs bigpaper 

29947 

doe 

9335 

doe 

emacs csproject 

1024 

doe 

9352 

doe 

Is 

ok 

doe 

9360 

doe 

emacs csproject 

4096 

doe 

9373 

doe 

mail root 

bad(Is,bin) 

doe 

9375 

doe 

mail root 

bad(doefile,doe) 

doe 

9379 

doe 

logout 

ok 

dog 

9400 

none 

login dog 

ok 

dog 

9403 

dog 

Is 

ok 

dog 

9404 

dog 

mail root 

bad(bark,dog) 

dog 

9405 

dog 

logout 

ok 

evens 

420 

none 

login evans 

ok 

eveins 

430 

evans 

Is 

ok 

evens 

440 

evans 

cd csclass 

ok 

evens 

450 

csclass 

Is 

ok 

evens 

460 

csclass 

emacs proj_one 

140292 

evens 

880 

csclass 

logout 

ok 

farmer 

1203 

none 

login farmer 

fail 

farmer 

1204 

none 

login farmer 

fail 

farmer 

1205 

none 

login farmer 

fail 

farmer 

1206 

none 

login farmer 

fail 

farmer 

1207 

farmer 

mail root 

bad(password,farmer) 

farmer 

1220 

farmer 

mail root 

bad(secrets,farmer) 

graham 

1500 

none 

login graham 

ok 

grzdiam 

1501 

graham 

Is 

ok 

graham 

1502 

graheon 

mail root 

bad (inportant, graham) 

jones 

910 

jones 

su 

fail 

jones 

910 

none 

login jones 

ok 

jones 

911 

jones 

su 

fail 

jones 

912 

jones 

su 

fail 

jones 

920 

jones 

su 

ok 

jones 

921 

root 

cd -farmer 

ok 

jones 

922 

farmer 

Is 

ok 

jones 

923 

farmer 

rm secrets 

ok 

jones 

924 

farmer 

yppasswd 

ok 

jones 

925 

farmer 

cd -grediam 

ok 

jones 

926 

gredieon 

Is 

ok 

jones 

927 

grahcim 

emacs important 

11272 

root 

315 

none 

login root 

fail 

root 

324 

none 

login root 

ok 

root 

329 

root 

cd bin 

ok 

root 

589 

bin 

emacs Is 

3024 

root 

1119 

bin 

emacs cd 

4979 

root 

1211 

root 

mail 

ok 

root 

1394 

root 

cd -dog 

ok 

root 

1395 

dog 

rm * 

ok 

root 

1396 

dog 

cd 

ok 

root 

1400 

root 

login root 

ok 

root 

1421 

root 

logout 

ok 

root 

1503 

root 

mail 

ok 

root 

4474 

none 

login root 

fail 

root 

4475 

none 

login root 

fail 

root 

4476 

none 

login root 

fail 

root 

4493 

none 

login root 

ok 

root 

4499 

root 

cd etc 

ok 

root 

5087 

etc 

emacs passwd 

1017 

root 

5088 

etc 

cd 

ok 

root 

5089 

root 

cd bin 

ok 

root 

5205 

bin 

mail root 

bad(cd,bin) 
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root 

5208 

bin 

logout 

ok 

smith 

859 

none 

login smith 

ok 

smith 

900 

smith 

cd etc 

ok 

smith 

901 

etc 

cp passwd ^smith 

ok 

smith 

902 

etc 

logout 

ok 

tom 

2713 

none 

login tom 

ok 

tom 

2732 

tom 

cd ba 

ok 

tom 

2749 

ba 

cp aa guest/aa 

ok 

tom 

2754 

ba 

logout 

ok 

tom 

6351 

none 

login tom 

ok 

tom 

6355 

tom 

cd ba 

ok 

tom 

6421 

ba 

emacs ab 

12345 

tom 

6428 

ba 

logout 

ok 

uri 

2119 

none 

login uri 

ok 

uri 

2127 

uri 

cd ba 

ok 

uri 

2216 

ba 

rm * 

ok 

uri 

2218 

ba 

logout 

ok 


************ These facts are now true: ************* 

password root is changed, 

password cracker is executed, 

backup tape is loaded, 

backup tape is located, 

file passwd is restored, 

changed(password,for,adams) is true, 

changed(password,for,smith) is true, 

changed(permissions,file,passwd) is true, 

checked(permissions,file,passwd) is true, 

known(insecure,pa88word,for,adams) is true, 

known(insecure,password,for,smith) is true, 

mail(brown,root,1033,bad(password,brown)) is true, 

/root,9373,bad(Is,bin)) is true, 
mail(doe,root,9375,bad(doefile,doe)) is true, 
mail(dog,root,9404,bad(bark,dog)) is true, 
mail(farmer,root,1207,bad(password,farmer)) is true, 
mail(farmer,root,1220,bad(secrets,farmer)) is true, 
mail(graham,root,1502,bad(inportant,graham)) is true, 
maiKroot,root,5205,bad(cd,bin) ) is true, 
and found(file,passwd,on,backup,tape) is true. 

Select an action: mail 




********************«««««^^^^^^^^^^^ 




MAIL RECEIVED 


The following displays mail received by root: 


From 

To 

Time 

brown 

root 

1033 

doe 

root 

9373 

doe 

root 

9375 

dog 

root 

9404 

farmer 

root 

1207 

farmer 

root 

1220 

graham 

root 

1502 

root 

root 

5205 


Problem(File,Directory) 

bad(pas sword,brown) 
bad(Is,bin) 
bad(doefile,doe) 
bad(bark,dog) 
bad(password,farmer) 
bad(secrets,farmer) 
bad (iirportant, graheun) 
bad(cd,bin) 
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************ These facts are now time: ************* 

password root is changed/ 

password cracker is executed, 

backup tape is loaded, 

backup tape is located, 

file passwd is restored, 

changed (password, for, adeiins) is true, 

ch2mged(password,for,smith) is true, 

changed(permissions,file,passwd) is true, 

checked(permissions,file,passwd) is true, 

)cnown (ins e cure, pas sword, for, adeuiis) is true, 

known(insecure,password,for,smith) is true, 

mail(brown,root,1033,bad(password,brown)) is true, 

mail(doe,root,9373,bad(Is,bin)) is true, 

mail(doe,root,9375,bad(doefile,doe)) is true, 

mail(dog,root,9404,bad(bark,dog)) is true, 

mail(farmer,root,1207,bad(password,farmer)) is true, 

mail(farmer,root,1220,bad(secrets,farmer)) is true, 

mail(grediam,root, 1502,bad(important,griiham)) is true, 

mail(root,root,5205,bad(cd,bin)) is true, 

and found(file,passwd,on,backup,tape) is true. 

Select an action: confront user jones 
You chose to confront user jones. 

OK, but a hint: ^compare file cd for Trojan Horse with cd on backup tape" 
is more important now than "confront user jones". 

************ These facts are now true: ************* 

password root is changed, 

user jones is confronted, 

password cracker is executed, 

backup tape is loaded, 

backup tape is located, 

file passwd is restored, 

changed(password,for,adams) is true, 

changed(password,for,smith) is true, 

changed(permissions,file,passwd) is true, 

checked(permissions,file,passwd) is true, 

known(insecure,password,for,adams) is true, 

)aiown(insecure,password,for,smith) is true, 

nia^il (brown, root, 1033,bad (password,brown) ) is true, 

mail(doe,root,9373,bad(Is,bin)) is true, 

mail(doe,root,9375,bad(doefile,doe)) is true, 

mail(dog,root,9404,bad(bark,dog)) is true, 

mail(farmer,root,1207,bad(password,farmer)) is true, 

mail(farmer,root,1220,bad(secret8,farmer)) is true, 

mail(graham,root,1502,bad(inportant,graham)) is true, 

mail(root,root,5205,bad(cd,bin)) is true, 

and found(file,pas8wd,on,backup,tape) is true. 

Select an action: find file cd on backup tape 
You chose to find file cd on backup tape. 

OK. 

************ These facts are now true: ************* 

password root is changed, 

user jones is confronted, 

password cracker is executed, 

bac)cup tape is loaded, 

bac)cup tape is located, 

file passwd is restored, 

changed(password,for,adams) is true, 

changed(password,for,smith) is true, 

changed(permissions,file,passwd) is true, 

checked(permissions,file,passwd) is true. 
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known(insecure,password,for,adams) is true, 

known(insecure,password,for,smith) is true, 

mail(brown,root,1033,bad(password,brown)) is true, 

mail(doe,root,9373,bad(ls,bin)) is true, 

mail(doe,root,9375,bad(doefile,doo)) is true, 

mail(dog,root,9404,bad(bark,dog)) is true, 

mail(farmer,root,1207,bad(password,farmer)) is true, 

mail(farmGr,root,1220,bad(secrets,farmer)) is true, 

mail(grah 2 un,root,1502,bad(important,graham)) is true, 

mail(root,root,5205,bad(cd,bin)) is true, 

found(file,cd,on,backup,tape) is true, 

and found(file,passwd,on,backup,tape) is true. 

Select an action: conpare file cd for Trojan Horse with cd on backup tape 
You chose to conpare file cd for Trojeoi Horse with cd on backup tape. 

OK. 

************ These facts are now true; ************* 

password root is chamged, 

user jones is confronted, 

password cracker is executed, 

backup tape is loaded, 

backup tape is located, 

file passwd is restored, 

changed(password,for,adams) is true, 

chemged(password,for,smith) is true, 

changed(permissions,file,passwd) is true, 

checked(permissions,file,passwd) is true, 

known (insecure, password, for, adeons) is true, 

known(insecure,pa88word,for,smith) is true, 

mail(brown,root,1033,bad(password,brown)) is true, 

mail(doe,root,9373,bad(Is,bin)) is true, 

mail(doe,root,9375,bad(doefile,doe)) is true, 

mail(dog,root,9404,bad(bark,dog)) is true, 

mail(farmer,root,1207,bad(password,farmer)) is true, 

mail(farmer,root,1220,bad(secrets,farmer)) is true, 

mail(graham,root,1502,bad(importemt,graham)) is true, 

mail(root,root,5205,bad(cd,bin)) is true, 

found(file,cd,on,backup,tape) is true, 

found(file,passwd,on,backup,tape) is true, 

and conpared(file,cd,for,Trojan Horse,with,cd,on,backup,tape) is true. 
Select an action: find file Is on baclcup tape 
You chose to find file Is on backup tape. 

OK, 

************ These facts are now true: ************* 

password root is chemged, 

user jones is confronted, 

password cracker is executed, 

backup tape is loaded, 

backup tape is located, 

file passwd is restored, 

changed(password,for,adams) is true, 

changed(password,for,smith) is true, 

changed(permissions,file,passwd) is true, 

checked(permissions,file,passwd) is true, 

known (ins e cure, pas sword, for, adauns) is true, 

known(insecure,password,for,smith) is true, 

mail(brovm,root,1033,bad(pa88word,brown)) is true, 

maiKdoe,root,9373,badds,bin) ) is true, 

mail(doe,root,9375,bad(doefile,doe)) is true, 

mail(dog,root,9404,bad(bark,dog)) is true, 

mail(farmer,root,1207,bad(password,farmer)) is true, 

mail(farmer,root,1220,bad(secret8,farmer)) is true. 
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mail (graham, root, 15 02, bad (import ant, grahaun)) is true, 

mail(root,root,5205,bad(cd,bin)) is true, 

found(file,cd,on,backup,tape) is true, 

fo\ind(file. Is,on,backup,tape) is true, 

found(file,passwd,on,backup,tape) is true, 

and compared(f ile, cd, for,Trojan Horse,with,cd,on,bac)cup, tape) is true. 
Select an action: compare file Is for Trojan Horse with Is on backup tape 
You chose to compare file Is for Trojan Horse with Is on backup tape. 

OK. 

************ These facts are now true: ************* 

password root is changed, 

user jones is confronted, 

password cracker is executed, 

backup tape is loaded, 

backup tape is located, 

file passwd is restored, 

changed(password,for,adams) is true, 

changed(password,for,smith) is true, 

changed(permi8sion8,file,passwd) is true, 

checked(permissions,file,passwd) is true, 

known(insecure,password,for,adams) is true, 

)cnown(insecure,pa8sword,for,smith) is true, 

mail(brown,root,1033,bad(password,brown)) is true, 

mail(doe,root,9373,bad(ls,bin)) is true, 

mail(doe,root,9375,bad(doefile,doe)) is true, 

mail(dog,root,9404,bad(bark,dog)) is true, 

mail(farmer,root,1207,bad(pas8word,farmer)) is true, 

mail(farmer,root,1220,bad(secrets,farmer)) is true, 

mail(grzLham,root, 1502,bad(is^ortant,grahaun)) is true, 

mail(root,root,5205,bad(cd,bin)) is true, 

found(file,cd,on,backup,tape) is true, 

found(file,Is,on,backup,tape) is true, 

found(file,passwd,on,backup,tape) is true, 

con5)ared(file,cd,for,Trojan Horse,with,cd,on,backup,tape) is true, 
and coit5>ared(file,Is,for,Troj 2 m Horse,with. Is,on,backup, tape) is true. 
Select an action: remove Trojan Horse from Is 
You chose to remove Trojan Horse from Is. 

>>>>Operator remove(Trojan,Horse,from,Is) could not be applied to: 

password root is changed, 

user jones is confronted, 

password cracker is executed, 

bac)aip tape is loaded, 

backup tape is located, 

file passwd is restored, 

changed (password, for, adauns) is true, 

chem.ged(password,for,smith) is true, 

chemged(permissions,file,passwd) is true, 

checked(permissions,file,passwd) is true, 

known(insecure,password,for,adams) is true, 

known(in8ecure,pa8sword,for,smith) is true, 

mail(brown,root,1033,bad(password,brown)) is true, 

mail(doe,root,9373,bad(Is,bin)) is true, 

mail(doe,root,9375,bad(doefile,doe)) is true, 

mail(dog,root,9404,bad(bark,dog)) is true, 

mail(farmer,root,1207,bad(password,farmer)) is true, 

mail(farmer,root,1220,bad(secrets,farmer)) is true, 

mail(gra ham ,root,1502,bad(important,graham)) is true, 

mail(root,root,5205,bad(cd,bin)) is true, 

fo\ind(file,cd,on,backup,tape) is true, 

found(file,Is,on,backup,tape) is true, 

found(file,passwd,on,backup,tape) is true. 
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compared(filo,cd,for,Trojan Horse,with,cd,on,backup,tape) is true, 

and con^ared(file,Is,for,Trojan Horse,with,Is,on,backup,tape) is true 

»»Operator remove (Trojan,Horse, from. Is) could not be applied toj 

password root is chzmged, 

user jones is confronted, 

password cracker is executed, 

backup tape is loaded, 

backup tape is located, 

file passwd is restored, 

changed(password,for,adams) is true, 

changed(password,for,smith) is true, 

changed(permissions,file,passwd) is true, 

checked(permissions,file,passwd) is true, 

known(insecure,pas8word,for,adams) is true, 

known(insecure,password,for,smith) is true, 

mail(brown,root,1033,bad(password,brown)) is true, 

maiKdoe,root,9373,badds,bin) ) is true, 

maiKdoe,root,9375,bad(doefile,doe)) is true, 

mail(dog,root,9404,bad(bark,dog)) is true, 

mail(farmer,root,1207,bad(password,farmer)) is true, 

mail(farmer,root,1220,bad(8ecrets,farmer)) is true, 

mail(graham,root,1502,bad(important,greOiam)) is true, 

mail(root,root,5205,bad(cd,bin)) is true, 

found(file,cd,on,backup,tape) is true, 

found(file,Is,on,backup,tape) is true, 

fo\ind(file,passwd,on,backup,tape) is true, 

coir53ared(file,cd, for, Trojan Horse,with, cd,on,bac)cup, tape) is true, 
and coir®>ared(file,Is, for,Trojan Horse,with. Is,on,backup, tape) is true 
Have you confused -file Is are restored" with -file passwd is restored"? 
That action requires that: 
file Is must be restored. 

************ These facts are now true: ************* 

password root is changed, 

user jones is confronted, 

password cracker is executed, 

backup tape is loaded, 

backup tape is located, 

file passwd is restored, 

changed(password,for,adams) is true, 

changed(password,for,smith) is true, 

changed(permissions,file,passwd) is true, 

checked(permissions,file,passwd) is true, 

known(insecure,pas8word,for,adams) is true, 

known(in8ecure,pa8sword,for,smith) is true, 

mail(brown,root,1033,bad(password,brown)) is true, 

maiKdoe,root,9373,badds,bin) ) is true, 

mail(doe,root,9375,bad(doefile,doe)) is true, 

maiKdog,root,9404,bad(bark,dog)) is true, 

mail(farmer,root,1207,bad(password,farmer)) is true, 

mail(farmer,root,1220,bad(secrets,farmer)) is true, 

mail(graham,root,1502,bad(important,gradiam)) is true, 

mail(root,root,5205,bad(cd,bin)) is true, 

fo\ind(file,cd,on,backup,tape) is true, 

found(file,Is,on,backup,tape) is true, 

found(file,passwd,on,backup,tape) is true, 

compared(file,cd,for,Trojan Horse,with,cd,on,backup,tape) is true, 
and compared(file,Is,for,Trojan Horse,with,Is,on,backup,tape) is true. 
Select an action: restore modified file Is from backup 
You chose to restore modified file Is from backup. 

I am thinking.... 

OK, but a hint: "restore user password for brown" 
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is more Important now than "restore modified file Is from backup". 
************ These facts are now true: ************* 
password root is cheinged, 
user jones is confronted, 
password cracker is executed, 
backup tape is loaded, 
backup tape is located, 
file Is are restored, 
file passwd is restored, 
changed(password,for,adams) is true, 
changodCpassword,for,smith) is true, 
changed (permissions, file, passwd) is true, 
checked(permissions,file,passwd) is true, 
known(insecure,password,for,adams) is true, 

3cnown(insecure,pa8sword,for,smith) is true, 

mail(brown,root,1033,bad(pas8word,brown)) is true, 

mail(doe,root,9373,bad(Is,bin)) is true, 

mail(doe,root,9375,bad(doefile,doe)) is true, 

mail(dog,root,9404,bad(bark,dog)) is true, 

mail(farmer,root,1207,bad(password,farmer)) is true, 

mail(farmer,root,1220,bad(secrets,farmer)) is true, 

mail (grediam,root, 1502,bad(inportemt,graham)) is true, 

mail(root,root,5205,bad(cd,bin)) is true, 

found(file,cd,on,backup,tape) is true, 

found(file,Is,on,backup,tape) is true, 

found(file,passwd,on,backup,tape) is true, 

compared(file,cd,for,Trojan Horse,with,cd,on,backup,tape) is true, 
and con^ared(file,Is,for,Trojan Horse,with,Is,on,backup,tape) is true. 
Select an action: remove Troj^m Horse from Is 
You chose to remove Trojan Horse from Is. 

OK. 

************ These facts are now true: ************* 

password root is changed, 

user jones is confronted, 

password cracker is executed, 

backup tape is loaded, 

backup tape is located, 

file Is are restored, 

file passwd is restored, 

changed(password,for,adams) is true, 

ch 2 Lnged (password, for, smith) is true, 

changed(permissions,file,passwd) is true, 

checked(permissions,file,passwd) is true, 

known(insecure,pa88Word,for,adams) is true, 

known(insecure,password,for,smith) is true, 

mail(brown,root,1033,bad(password,brown)) is true, 

mail(doe,root,9373,bad(Is,bin)) is true, 

mail(doe,root,9375,bad(doefile,doe)) is true, 

mail(dog,root,9404,bad(bark,dog)) is true, 

mail(farmer,root,1207,bad(password,farmer)) is true, 

mail(farmer,root,1220,bad(secret8,farmer)) is true, 

mail(graham,root,1502,bad(important,graham)) is true, 

mail(root,root,5205,bad(cd,bin)) is true, 

removed(Trojan,Horse,from,Is) is true, 

found(file,cd,on,backup,tape) is true, 

fo\md(file,ls,on,bac)cup,tape) is true, 

found(file,passwd,on,backup,tape) is true, 

compared(file,cd,for,Trojan Horse,with,cd,on,bac)cup,tape) is true, 
and compared(file,Is,for,Trojan Hor8e,with,l8,on,bac)cup,tape) is true. 
Select an action: restore user password brown 
You chose to restore user password brown. 
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Not a valid action. 

************ These facts are now true: ** 
password root is changed, 
user jones is confronted, 
password cracker is executed, 
backup tape is loaded, 
backup tape is located, 
file Is are restored, 
file passwd is restored, 
changed(password,for,adams) is true, 
changed(password,for,smith) is true, 
changed(permissions,file,passwd) is true, 
checked(permissions,file,passwd) is true, 
known(insecure,password,for,adams) is true, 
known(insecure,password,for,smith) is true, 
mail(brown,root,1033,bad(password,brown)) is true, 
mail(doe,root, 9373,badds,bin)) is true, 
mail(doe,root,9375,bad(doefile,doe)) is true, 
maiKdog,root,9404,bad(bark,dog) ) is true, 
mail(farmer,root,1207,bad(pas8word,farmer)) is true, 
mail(farmer,root,1220,bad{secrets,farmer)) is true, 
mail(greiham,root, 1502,bad(in^orteint,graham) ) is true, 

(root,root,5205,bad(cd,bin)) is true, 
removed(Trojein,Horse,from,Is) is true, 
found(file,cd,on,backup,tape) is true, 
found(file,Is,on,backup,tape) is true, 
fo\ind(file,passwd,on,backup,tape) is true, 

compared(file,cd,for,Trojan Horse,with,cd,on,backup,tape) is true, 
and coir^ared(f ile,Is, for,Troj 2 m Horse,with. Is,on,backup, tape) is true. 
Select an action: restore user password for brown 
You chose to restore user password for brown. 

OK. 

************ These facts are now true; ************* 

password root is changed, 

user jones is confronted, 

password cracker is executed, 

backup tape is loaded, 

backup tape is located, 

file Is are restored, 

file passwd is restored, 

chcinged(password, for, adams) is true, 

changed(password,for,smith) is true, 

changed(permissions,file,passwd) is true, 

Che eked(permissions,file,passwd) is true, 

restored(password,for,brown) is true, 

known(insecure,password,for,adams) is true, 

known(insecure,password,for,smith) is true, 

mail(brown,root,1033,bad(password,brown)) is true, 

maiKdoe,root,9373,badds,bin) ) is true, 

maiKdoe,root,9375,bad(doefile,doe) ) is true, 

mail(dog,root,9404,bad(bark,dog)) is true, 

mail(farmer,root,1207,bad(password,farmer)) is true, 

mail(farmer,root,1220,bad(secrets,farmer)) is true, 

mail (graham,root, 1502,bad(ingporteint,graham) ) is true, 

mail(root,root,5205,bad(cd,bin)) is true, 

removed(Trojan,Horse,from,ls) is true, 

found(file,cd,on,backup,tape) is true, 

found(file,Is,on,backup,tape) is true, 

fo\ind(file,passwd,on,bac)aip,tape) is true, 

compared(file,cd,for,Trojan Horse,with,cd,on,backup,tape) is true, 
and coii5)ared(file. Is, for,Trojan Horse,with. Is,on,backup, tape) is true. 
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Select an action: restore user password for root 
You chose to restore user password for root. 

1 am thinking.... 

Have you confused that with the restore user password for farmer action? 
Your action is not what 1 would choose, but let us try it. 

************ These facts are now true: ************* 

password root is changed, 

user jones is confronted, 

password cracker is executed, 

backup tape is loaded, 

backup tape is located, 

file Is are restored, 

file passwd is restored, 

changed(password,for,adams) is true, 

changed(password,for,smith) is true, 

changed(permissions,file,passwd) is true, 

checked(permissions,file,passwd) is true, 

restored(password,for,brown) is true, 

restored(password,for,root) is true, 

known(insecure,password,for,adams) is true, 

known(insecure,password,for,smith) is true, 

mail(brown,root,1033,bad(pa8sword,brown)) is true, 

mail(doe,root,9373,bad(Is,bin)) is true, 

mail(doe,root,9375,bad(doefile,doe)) is true, 

mail(dog,root,9404,bad(bark,dog)) is true, 

mail(farmer,root,1207,bad(password,farmer)) is true, 

mail(farmer,root,1220,bad(secrets,farmer)) is true, 

mail(graham,root,1502,bad(in^ortant,graham)) is true, 

mail(root,root,5205,bad(cd,bin)) is true, 

removed(Trojan,Horse,from,Is) is true, 

found(file,cd,on,backup,tape) is true, 

fotind(file. Is,on,backup, tape) is true, 

found(file,passwd,on,backup,tape) is true, 

coii^ared(file,cd,for,Trojan Horse,with,cd,on,backup,tape) is true, 
and compared(file,Is,for,Trojan Horse,with,Is,on,backup,tape) is true. 
Select an action: restore user password for farmer 
You chose to restore user password for farmer. 

OK. 


************ These facts are now true: •***********< 

password root is changed, 

user jones is confronted, 

password cracker is executed, 

backup tape is loaded, 

backup tape is located, 

file Is are restored, 

file passwd is restored, 

changed (password, for, adeons) is true, 

changed(password,for,smith) is true, 

chamged(perini8 8ions, file, passwd) is true, 

checked(permissions,file,passwd) is true, 

restored(password,for,brown) is true, 

restored(password,for,farmer) is true, 

restored(password,for,root) is true, 

)cnown( insecure, pas sword, for, adams) is true, 

known (insecure, pas sword, for, smith) is true, 

mail(brown,root,1033,bad(password,brown)) is true, 

mail(doe,root,9373,bad(ls,bin)) is true, 

mail(doe,root,9375,bad(doefile,doe)} is true, 

mail(dog,root,9404,bad(bark,dog)) is true, 

mail(farmer,root,1207,bad(password,farmer)) is true, 

mail(farmer,root,1220,bad(secrets,farmer)) is true. 
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mail(graham,root,1502,bad(importemt,graham)) is true, 

xnaiKroot, root, 5205,bad(cd,biii) ) is true, 

removed(Trojan,Horse,from,Is) is true, 

found(file,cd,on,backup,tape) is true, 

found(file,Is,on,backup,tape) is true, 

found(file,passwd,on,backup,tape) is true, 

compared(file,cd,for,Trojan Hor8e,with,cd,on,backup,tape) is true, 
and coirpared(file. Is, for,Trojan Horse,with,Is ,on,backup,tape) is true. 
Select an action: examine user password adams 
You chose to exeunine user password adauns. 

OK. 

************ These facts are now true: ************* 

password root is changed, 

user jones is confronted, 

password adams is exeunined, 

password cracker is executed, 

backup tape is loaded, 

backup tape is located, 

file Is are restored, 

file passwd is restored, 

changed(password,for,adams) is true, 

ch€mged(password,for,smith) is true, 

changed(permissions,file,passwd) is true, 

checked(permissions,file,passwd) is true, 

restored(password,for,brown) is true, 

restored(password,for,farmer) is true, 

restored(password,for,root) is true, 

known(insecure,password,for,adams) is true, 

known(insecure,pas8word,for,smith) is true, 

mail(brown,root,1033,bad(password,brown)) is true, 

mail(doe,root,9373,bad(Is,bin)) is true, 

mail(doe,root,9375,bad(doefile,doe)) is true, 

mail(dog,root,9404,bad(bark,dog)) is true, 

maiKfarmer,root,1207,bad(pas8word,farmer) ) is true, 

mail(farmer,root,1220,bad(8ecrets,farroer)) is true, 

mail(graham,root,1502,bad(important,graham)) is true, 

n^3,il (root, root, 5205,bad(cd,bin) ) is true, 

removed (Trojan, Horse, from. Is) is true, 

found(file,cd,on,backup,tape) is true, 

found(file,Is,on,backup,tape) is true, 

found(file,passwd,on,backup,tape) is true, 

compared(file,cd,for,Troj 2 m Horse,with,cd,on,backup,tape) is true, 
and coirpared(file. Is, for,Trojan Horse,with. Is,on,backup, tape) is true. 
Select an action: examine user password root 
You chose to examine user password root, 

I am thinking.... 

Your action is not what I would choose, but let us try it. 

************ These facts are now true: ************* 

password root is changed, 

user jones is confronted, 

password adams is examined, 

password root is examined, 

password cracker is executed, 

backup tape is loaded, 

backup tape is located, 

file Is are restored, 

file passwd is restored, 

changed(password,for,adams) is true, 

changed(password,for,smith) is true, 

chemged(permissions,file,passwd) is true, 

checked(permissions,file,passwd) is true. 
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restored(password,for,brown) is true, 

restored(password,for,farmer) is true, 

restored(password,for,root) is true, 

known(insecure,password,for,adams) is true, 

known(in8ecure,password,for,smith) is true, 

mail(brown,root,1033,bad(password,brown)) is true, 

mail(doe,root,9373,bad(Is,bin)) is true, 

mail(doe,root,9375,bad(doefile,doe)) is true, 

mail(dog,root,9404,bad(bark,dog)) is true, 

mail(farmer,root,1207,bad(pas8word,farmer)) is true, 

mail(farmer,root,1220,bad(secret8,farmer)) is true, 

mail (graheun, root, 1502, bad (important, grah 2 un) ) is true, 

mail(root,root,5205,bad(cd,bin)) is time, 

removed(Trojan,Horse,from,Is) is true, 

found(file,cd,on,backup,tape) is true, 

found(file,ls,on,bac)cup,tape) is true, 

found(file,passwd,on,backup,tape) is true, 

compared(file,cd,for,Trojan Horse,with,cd,on,backup,tape) is true, 
and conpared(file,Is,for,Trojan Horse,with,Is,on,backup,tape) is true. 
Select 2 m action: investigate user password root 
You chose to investigate user password root. 

Have you confused that with the investigate user password brown action? 
OK, but a hint: "investigate user password brown" 
is more important now th 2 m "investigate user password root". 
************ These facts are now true: ************* 
password root is changed, 
user jones is confronted, 
password ad 2 aiis is examined, 
password root is examined, 
password cracker is executed, 
backup tape is loaded, 
backup tape is located, 
file Is are restored, 
file passwd is restored, 
changed(password,for,adams) is true, 
changed(password,for,smith) is true, 
chemged(permissions,file,passwd) is true, 
checked(permissions,file,passwd) is true, 
investigated(user,password,root) is true, 
restored(password,for,brown) is true, 
restored(pa8sword,for,farmer) is true, 
restored(password,for,root) is true, 

)tnown(insecure,password,for,adams) is true, 

]uiown(insecure,pas8word,for,smith) is true, 

mail(brown,root,1033,bad(password,brown)) is true, 

mail(doe,root,9373,bad(Is,bin)) is true, 

mail(doe,root,9375,bad(doefile,doe)) is true, 

mail(dog,root,9404,bad(bark,dog)) is true, 

mail(farmer,root,1207,bad(password,farmer)) is true, 

mail(farmer,root,1220,bad(secret8,farmer)) is true, 

mail (gr 2 di 2 ua, root, 1502,bad (important, gr 2 di 2 an)) is true, 

mail(root,root,5205,bad(cd,bin)) is true, 

removed(Trojan,Horse,from,Is) is true, 

found(file,cd,on,backup,tape) is true, 

fovmd(file,l8,on,bac]cup,tape) is true, 

found(file,passwd,on,backup,tape) is true, 

compared(file,cd,for,Troj 2 m Hor8e,with,cd,on,backup,tape) is true, 
emd compared(file. Is, for,Trojan Horse,with,Is,on,bac}cup, tape) is true. 
Select an action: investigate user password brown 
You chose to investigate user password brown. 

OK. 
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************ These facts are now true: ************* 

password root is changed, 

user jones is confronted, 

password adams is ex 2 uained, 

password root is examined, 

password cracker is executed, 

backup tape is loaded, 

backup tape is located, 

file Is are restored, 

file passwd is restored, 

changed(password,for,adams) is true, 

changed(password,for,smith) is true, 

changed(permissions,file,passwd) is true, 

checked(permissions,file,passwd) is true, 

investigated(user,password,brown) is true, 

investigated(user,password,root) is true, 

restored(password,for,brown) is true, 

restored(password,for,farmer) is true, 

restored(password,for,root) is true, 

)cnown(insecure,password, for,adams) is true, 
known(insecure,pa8sword,for,smith) is true, 
mail(brown,root,1033,bad(password,brown)) is true, 
mail(doe,root,9373,badds,bin) ) is true, 

(<loo#root, 9375,bad(doef ile,doe) ) is true, 
mail(dog,root,9404,bad(bark,dog)) is true, 
mail(farmer,root,1207,bad(password,farmer)) is true, 
mail(farmer,root,1220,bad(secrets,farmer)) is true, 
mail (graham,root, 1502,bad(iii5)ortant,graham)) is true, 
mail(root,root,5205,bad(cd,bin)) is true, 
reinoved(Trojan,Horse, from. Is) is true, 
found(file,cd,on,backup,tape) is true, 
found(file, ls,on,bac3cup, tape) is true, 
found(file,passwd,on,backup,tape) is true, 

conqpared(file,cd,for,Trojan Horae,with,cd,on,backup,tape) is true, 
and compared(file,Is,for,Trojan Horse,with,Is,on,backup,tape) is true. 
Select an action: restore modified file cd from backup 
You chose to restore modified file cd from backup. 

OK, but a hint: "restore modified file important from backup" 
is more important now than "restore modified file cd from backup". 
************ These facts are now t3rue: ************* 
password root is changed, 
user jones is confronted, 
password adams is examined, 
password root is examined, 
password cracker is executed, 
bac)cup tape is loaded, 
bac]cup tape is located, 
file cd is restored, 
file Is are restored, 
file passwd is restored, 
changed(password,for,adams) is true, 
chemged(password,for,smith) is true, 
changed(permissions,file,passwd) is true, 
checked(permissions,file,passwd) is true, 
investigated(user,password,brown) is true, 
investigated(user,password,root) is true, 
restored(password,for,brown) is true, 
restored(password,for,farmer) is true, 
restored(password,for,root) is true, 
known(insecure,pa88word,for,adams) is true, 

3cnown(insecure,password, for, smith) is true. 
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mail(brown,root,1033,bad(password,brovm) ) is true, 

mail(doe,root,9373,bad{ls,bin)) is true, 

mail(doe,root,9375,bad(doefile,doe)) is true, 

mail(dog,root,9404,bad(bark,dog)) is true, 

mail(farmer,root,1207,bad(password,farmer)) is true, 

mail(farmer,root,1220,bad(secrets,farmer)) is true, 

mail (greiham,root, 1502,bad(important,grediam) ) is true, 

maiKroot,root,5205,bad(cd,bin)) is true, 

removed(Trojan,Horse,from,Is) is true, 

foTind(file,cd,on,backup,tape) is true, 

found(file,Is,on,backup,tape) is true, 

found(file,passwd,on,backup,tape) is true, 

conipared(file,cd,for,Trojan Horse,with,cd,on,bac]cup,tape) is true, 
and coiopared(file,l8,for,Troj 2 m Horse,with,Is,on,backup,tape) is true. 
Select an action: find file important on backup tape 
You chose to find file important on backup tape. 

OK. 

************ These facts are now true: ************* 

password root is changed, 

user jones is confronted, 

password adaoas is examined, 

password root is examined, 

password cracker is executed, 

backup tape is loaded, 

backup tape is located, 

file cd is restored, 

file Is are restored, 

file passwd is restored, 

changed (password, for, adaaiis) is true, 

changed(password,for,smith) is true, 

changed(permissions,file,passwd) is true, 

checked(permissions,file,passwd) is true, 

investigated(user,pas8word,brown) is true, 

investigated(user,password,root) is true, 

restored(password,for,brown) is true, 

restored(password,for,farmer) is true, 

restored(password,for,root) is true, 

known (ins e cure, pas sword, for, adeuns) is true, 

known(insecure,pa8sword,for,smith) is true, 

mail(brown,root,1033,bad(password,brown)) is true, 

mail(doe,root,9373,bad(Is,bin)) is true, 

mail(doe,root,9375,bad(doefile,doe)) is true, 

mail(dog,root,9404,bad(bark,dog)) is true, 

mail(farmer,root,1207,bad(password,farmer)) is true, 

mail(farmer,root,1220,bad(secrets,farmer)) is true, 

mail(graham,root,1502,bad(important,graham)) is true, 

mail(root,root,5205,bad(cd,bin)) is true, 

removed(Trojan,Horse,from,Is) is true, 

found(file,cd,on,backup,tape) is true, 

found(file,important,on,backup,tape) is true, 

found(file,Is,on,backup,tape) is true, 

fo\md(file,passwd,on,backup,tape) is true, 

cor[5>ared(file,cd,for,Troj^al Horse,with,cd,on,backup,tape) is true, 
and compared(file,Is,for,Trojan Horse,with,Is,on,backup,tape) is true. 
Select an action: restore modified file important from backup 
You chose to restore modified file important from backup. 

OK. 

************ These facts are now true: ************* 

password root is changed, 
user jones is confronted, 
password adams is examined. 
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password root is examined, 

password cracker is executed, 

backup tape is loaded, 

backup tape is located, 

file cd is restored, 

file importemt is restored, 

file Is are restored, 

file passwd is restored, 

changed(password,for,adams) is true, 

changed(password,for,smith) is true, 

ch 2 Lnged(permissions, file,passwd) is true, 

checked(permissions,file,passwd) is true, 

investigated(user,password,brown) is true, 

investigated(user,password,root) is true, 

restored(password,for,brown) is true, 

restored(password,for,farmer) is true, 

restored(password,for,root) is true, 

known(insecure,password,for,adams) is true, 

known(insecure,password,for,smith) is true, 

mail(brown,root,1033,bad(password,brown)) is true, 

mail (doe,root, 9373,badds,bin) ) is true, 

maiKdoe,root,9375,bad(doefile,doe)) is true, 

mail(dog,root,9404,bad(bark,dog)) is true, 

mail(farmer,root,1207,bad(password,farmer)) is true, 

mail(farmer,root,1220,bad(secrets,farmer)) is true, 

mail(graham,root,1502,bad(important,graham)) is true, 

mail(root,root,5205,bad(cd,bin)) is true, 

removed(Trojan,Horse,from,Is) is true, 

found(flie,cd,on,backup,tape) is true, 

found(file,important,on,backup,tape) is true, 

found(file,Is,on,backup,tape) is true, 

found(file,passwd,on,backup,tape) is true, 

con55ared(file,cd,for,Trojan Horse,with,cd,on,backup,tape) is true, 
and compared (file, Is, for, Troj an Horse, with. Is, on, baclcup, tape) is true. 
Select an action: find file wag on backup tape 
You chose to find file wag on backup tape. 

I thinking. . . . 

Have you confused that with the find file secrets on backup tape action? 
OK, but a hint: "restore deleted file secrets from bac)aip" 
is more important now than "restore deleted file wag from backup". 
************ Tjieae facts are now true: *★*»*★*♦♦**** 
password root is changed, 
user jones is confronted, 
password adams is ex 2 miined, 
password root is examined, 
password cracker is executed, 
bac)cup tape is loaded, 
backup tape is located, 
file cd is restored, 
file important is restored, 
file Is are restored, 
file passwd is restored, 
changed(password,for,adams) is true, 
changed(password,for,smith) is true, 
changed(permissions,file,passwd) is true, 
checked(permissions,file,passwd) is true, 
investigated(user,password,brown) is true, 
investigated(user,password,root) is true, 
restored(password,for,brown) is true, 
restored(password,for,farmer) is true, 
restored(password,for,root) is true. 
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knovm(inseeuro,password,for,adams) is true, 

known(insecure,pas8Word,for,smith) is true, 

mail(brown,root,1033,bad(pa8sword,brown)) is true, 

mail(doe,root,9373,bad(Is,bin)) is true, 

maiKdoe,root,9375,bad(doefile,doe)) is true, 

mail(dog,root,9404,bad(bark,dog)) is true, 

mail(farmer,root,1207,bad(password,farmer)) is true, 

mail(farmer,root,1220,bad(secret8,farmer)) is true, 

mail(graham,root,1502,bad(inportant,graham)) is true, 

mail(root,root,5205,bad(cd,bin)) is true, 

removed(Trojan,Horse,from,Is) is true, 

found(file,cd,on,backup,tape) is true, 

found(file,important,on,backup,tape) is true, 

found(file,Is,on,backup,tape) is true, 

found(file,pas8wd,on,baclcup,tape) is true, 

found(file,wag,on,backup,tape) is true, 

compared(file,cd,for,Trojan Horse,with,cd,on,backup,tape) is true, 

2 m.d compared(file,Is,for,Trojan Horse,with,Is,on,backup,tape) is true. 
Select an action: find file secrets on backup tape 
You chose to find file secrets on backup tape. 

OK. 

************* These facts are now true: ************* 
password root is ch 2 mged, 
user jonos is confronted, 
password adams is examined, 
password root is exeuained, 
password cracker is executed, 
backup tape is loaded, 
bacloip tape is located, 
file cd is restored, 
file importemt is restored, 
file Is are restored, 
file passwd is restored, 
chemged(password, for, adzuos) is true, 
changed(password,for,smith) is true, 
ch 2 Lnged(permissions, file,passwd) is true, 
checked(permissions,file,passwd) is true, 
investigated(user,password,brown) is true, 
investigated(user,password,root) is true, 
restored(password,for,brown) is true, 
restored(password,for,farmer) is true, 
restored(password,for,root) is true, 

)cnown(in8ecure,password,for,adams) is true, 

known(insecure,password,for,smith) is true, 

mail(brown,root,1033,bad(password,brown)) is true, 

mail(doe,root,9373,bad(Is,bin)) is true, 

mail(doe,root,9375,bad(doefile,doe)) is true, 

mail(dog,root,9404,bad(bark,dog)] is true, 

mail(farmer,root,1207,bad(password,farmer)) is true, 

maiKfarmer,root,1220,bad(8ecrets,farmer) ) is true, 

mail (graheun, root, 15 02, bad (import ant, graham)) is true, 

mail(root,root,5205,bad(cd,bin)) is true, 

removed(Trojan,Horse,from,Is) is true, 

found(file,cd,on,backup,tape) is true, 

found(file,importemt,on,backup,tape) is true, 

fo\ind(file,Is,on,backup,tape) is true, 

found(file,passwd,on,backup,tape) is true, 

found(file,secret8,on,backup,tape) is true, 

found(file,wag,on,backup,tape) is true, 

compared(file,cd,for,Trojan Horse,with,cd,on,backup,tape) is true, 
and compared(file,Is,for,Trojem Horse,with,Is,on,backup,tape) is true. 
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Select an action: restore deleted file secrets from baclcup 
You chose to restore deleted file secrets from backup. 

OK. 

************ These facts are now true: ************* 

password root Is changed, 

user jones Is confronted, 

password ad 2 uns Is examined, 

password root Is exaunlned, 

password cracker Is executed, 

backup tape Is loaded, 

backup tape Is located, 

file cd Is restored, 

file Important Is restored, 

file Is are restored, 

file passwd Is restored, 

file secrets are restored, 

changed (password, for, adauns) Is true, 

changed(password,for,smith) is true, 

changed(permissions,file,passwd) is true, 

checked(permissions,file,passwd) is true, 

investigated(user,password,brown) is true, 

investigated(user,password,root) is true, 

restored(password,for,brown) is true, 

restored(password,for,farmer) is true, 

restored(pas8word,for,root) is true, 

known(insecure,password,for,adams) is true, 

known(insecure,password,for,smith) is true, 

mail(brown,root,1033,bad(password,brown)) is true, 

inail (doe, root, 9373 ,bad(l8,bin) ) is true, 

mail(doe,root,9375,bad(doefile,doe)) is true, 

mail(dog,root,9404,bad(bark,dog)) is true, 

mail(farmer,root,1207,bad(password,farmer)) is true, 

maiKfarmer,root,1220,bad(secret8,farmer) ) is true, 

mail(graham,root,1502,bad(iinportant,graheun)) is true, 

mail(root,root,5205,bad(cd,bin)) is true, 

removed(Trojan,Horse,from,Is) is true, 

found(file,cd,on,backup,tape) is true, 

found(file,importsmt,on,backup,tape) is true, 

found(file,Is,on,backup,tape) is true, 

found(file,passwd,on,backup,tape) is true, 

found(file,secrets,on,backup,tape) is true, 

found(file,wag,on,bac)cup,tape) is true, 

compared(file,cd,for,Trojan Horse,with,cd,on,backup,tape) is true, 
and compared (file. Is, for, Trojan Horse, with. Is, on, bac)cup, tape) is true. 
Select an action: restore deleted file wag from backup 
You chose to restore deleted file wag from backup. 

OK, but a hint: "restore deleted file bark from backup" 
is more in^jortant now than "restore deleted file wag from backup". 
************ These facts are now true: ************* 
password root is changed, 
user jones is confronted, 
password adams is examined, 
password root is examined, 
password cracker is executed, 
backup tape is loaded, 
backup tape is located, 
file cd is restored, 
file important is restored, 
file Is are restored, 
file passwd is restored, 
file secrets are restored. 
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file wag is restored, 

chamged(password,for,adams) is true, 

changed(password,for,smith) is true, 

chemged(permissions,file,passwd) is true, 

checked(periais8ions,file,passwd) is true, 

investigated(user,password,brown) is true, 

investigated(user,password,root) is true, 

restored(password,for,brown) is true, 

restored(password,for,fanner) is true, 

restored(password,for,root) is true, 

known(insecure,password,for,adams) is true, 

known(in8ecure,pa88Word,for,smith) is true, 

mail(brown,root,1033,bad(password,brown)) is true, 

mail(doe,root,9373,bad(Is,bin)) is true, 

mail(doe,root,9375,bad(doefile,doe)) is true, 

mail(dog,root,9404,bad(bark,dog)) is true, 

mail(farmer,root,1207,bad(password,farmer)) is true, 

mail(farmer,root,1220,bad(secrets,farmer)) is true, 

mail (graheun, root, 15 02, bad (import ant, grahaun)) is true, 

mail(root,root,5205,bad(cd,bin)) is true, 

removed(Trojan,Horse,from,Is) is true, 

found(file,cd,on,backup,tape) is true, 

found(file,important,on,backup,tape) is true, 

found(file,Is,on,backup,tape) is true, 

found(file,passwd,on,backup,tape) is true, 

found(file,secret8,on,backup,tape) is true, 

found(file,wag,on,backup,tape) is true, 

compared(file,cd,for,Trojan Horse,with,cd,on,backup,tape) is true, 
and compared(file,Is,for,Troj 2 m Horse,with,Is,on,backup,tape) is true. 
Select an action: find file bark on backup tape 
You chose to find file bark on backup tape. 

OK. 

************ These facts are now true: ************* 

password root is changed, 

user jones is confronted, 

password adams is examined, 

password root is examined, 

password cracker is executed, 

backup tape is loaded, 

bac]cup tape is located, 

file cd is restored, 

file important is restored, 

file Is are restored, 

file passwd is restored, 

file secrets are restored, 

file wag is restored, 

changed (password, for, adeims) is true, 

changed(password,for,smith) is true, 

changed(permissions,file,passwd) is true, 

checked(permissions,file,passwd) is true, 

investigated(user,password,brown) is true, 

investigated(user,pas8word,root) is true, 

restored(password,for,brown) is true, 

restored(password,for,farmer) is true, 

restored(password,for,root) is true, 

known (insecure, pas sword, for, adzuos) is true, 

known(insecure,password,for,smith) is true, 

mail(brown,root,1033,bad(password,brown)) is true, 

mail(doe,root,9373,bad(Is,bin)) is true, 

mail(doe,root,9375,bad(doefile,doe)) is true, 

mail(dog,root,9404,bad(bark,dog)) is true. 
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niail (farmer^ root, 1207,bad (password, fanner) ) is true, 
mail(fanner,root,1220,bad(secrets,fanner)) is true, 

(grabam,root, 1502,bad(xinportant,gr abam )) is true, 
maiKroot,root,5205,bad(cd,bin)) is true, 
removed(Trojan,Horse,from,Is) is true, 
fo\ind(file,bark,on,backup,tape) is true, 
found(file,cd,on,backup,tape) is true, 
found(file,important,on,backup,tape) is true, 
found(file,Is,on,backup,tape) is true, 
found(file,passwd,on,backup,tape) is true, 
found(file,secrets,on,backup,tape) is true, 
fo\ind(file,wag,on,backup, tape) is true, 

compared(file,cd,for,Trojan Horae,with,cd,on,backup,tape) is true, 
and compared(file,Is,for,Trojan Horse,with,Is,on,backup,tape) is true. 
Select an action: restore deleted file bark from backup 
You chose to restore deleted file bark from bac3cup. 

OK. 

************ These facts are now true: ************* 

password root is changed, 

user jones is confronted, 

password adams is exeunined, 

password root is examined, 

password cracker is executed, 

backup tape is loaded, 

backup tape is located, 

file bark is restored, 

file cd is restored, 

file important is restored, 

file Is are restored, 

file passwd is restored, 

file secrets are restored, 

file wag is restored, 

changed(password,for,adams) is true, 

changed(password,for,smith) is true, 

changed(permissions,file,passwd) is true, 

checked(permissions,file,passwd) is true, 

investigated(user,password,brown) is true, 

investigated(user,password,root) is true, 

restored(password,for,brown) is true, 

restored(password,for,farmer) is true, 

restored(password,for,root) is true, 

known(insecure,password,for,adams) is true, 

known(insecure,password,for,smith) is true, 

maiKbrown,root,1033,bad(password,brown) ) is true, 

maiKdoe,root,9373,badds,bin) ) is true, 

maiKdoe,root,9375,bad(doefile,doe)) is true, 

mail(dog,root,9404,bad(bark,dog)) is true, 

mail(farmer,root,1207,bad(password,farmer)) is true, 

mail(farmer,root,1220,bad(secrets,farmer)) is true, 

mail(graham,root,1502,bad(important,graham)) is true, 

maiKroot,root,5205,bad(cd,bin) ) is true, 

removed(Trojan,Horse,from,Is) is true, 

fo\md(file,bark,on,backup,tape) is true, 

found(file,cd,on,backup,tape) is true, 

found(file,important,on,backup,tape) is true, 

found(file,Is,on,backup,tape) is true, 

found(file,passwd,on,backup,tape) is true, 

found(file, secret8,on,bacikup,tape) is true, 

found(file,wag,on,backup,tape) is true, 

coirpared(file,cd, for,Trojan Horse,with, cd,on,backup, tape) is true, 
and con^ared(file,Is,for,Trojan Horse,with,Is,on,backup,tape) is true. 
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Select an action: find file food on backup tape 
You chose to find file food on backup tape. 

OK. 

************ These facts are now true: ************* 

password root is changed, 

user jones is confronted, 

password adams is examined, 

password root is examined, 

password cracker is executed, 

backup tape is loaded, 

backup tape is located, 

file bark is restored, 

file cd is restored, 

file insertant is restored, 

file Is are restored, 

file passwd is restored, 

file secrets are restored, 

file wag is restored, 

changed(password,for,adams) is true, 

changed(password,for,smith) is true, 

changed(permissions,file,passwd) is true, 

checked(permissions,file,passwd) is true, 

investigated(user,password,brown) is true, 

investigated(user,password,root) is true, 

restored(password,for,brown) is true, 

restored(password,for,farmer) is true, 

restored(password,for,root) is true, 

known(insecure,password,for,adams) is true, 

known(insecure,password,for,smith) is true, 

mail(brown,root,1033,bad(password,brown)) is true, 

mail(doe,root,9373,bad(Is,bin)) is true, 

mail(doe,root,9375,bad(doefile,doe)) is true, 

mail(dog,root,9404,bad(bark,dog)) is true, 

mail(farmer,root,1207,bad(password,farmer)) is true, 

mail(farmer,root,1220,bad(secrets,farmer)) is true, 

mail (grahzun, root, 15 02, bad (import ant, graham)) is true, 

mail(root,root,5205,bad(cd,bin)) is true, 

removed(Trojan,Horse,from,Is) is true, 

found(file,bark,on,backup,tape) is true, 

found(file,cd,on,bac)cup,tape) is true, 

found(file,food,on,backup,tape) is true, 

found(file,inportant,on,backup,tape) is true, 

found(file,Is,on,backup,tape) is true, 

found(file,passwd,on,bac)cup,tape) is true, 

found(file,secrets,on,backup,tape) is true, 

found(file,wag,on,baclcup,tape) is true, 

conpared(file,cd,for,Trojan Horse,with,cd,on,backup,tape) is true, 
and coitpared(file,Is, for,Trojan Horse,with,Is,on,backup, tape) is true. 
Select an action: restore deleted file food from backup 
You chose to restore deleted file food from bac)cup* 

OK. 

************ These facts are now true: ************* 

password root is changed, 
user jones is confronted, 
password adams is examined, 
password root is examined, 
password cracker is executed, 
backup tape is loaded, 
backup tape is located, 
file bark is restored, 
file cd is restored. 
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file food is restored, 

file important is restored, 

file Is are restored, 

file passwd is restored, 

file secrets are restored, 

file wag is restored, 

changed(password,for,adams) is true, 

changed(password,for,smith) is true, 

changed(permissions,file,passwd) is true, 

checked(permissions,file,passwd) is true, 

investigated(user,password,brown) is true, 

investigated(user,password,root) is true, 

restored(password,for,brown) is true, 

restored(password,for,farmer) is true, 

restored(password,for,root) is true, 

known (ins o cure, pas sword, for, adeuns) is true, 

known (insecure, password, for, smith) is true, 

mail(brown,root,1033,bad(password,brown)) is true, 

mail(doe,root,9373,bad(Is,bin)) is true, 

mail(doe,root,9375,bad(doefile,doe)) is true, 

mail(dog,root,9404,bad(bark,dog)) is true, 

mail(farmer,root,1207,bad(password,farmer)) is true, 

maiKfarmer,root,1220,bad(secrets,farmer)) is true, 

mail (greiham, root, 15 02, bad (import ant, gr aham) ) is true, 

mail(root,root,5205,bad(cd,bin)) is true, 

removed(Trojan,Horse,from,Is) is true, 

found(file,bark,on,backup,tape) is true, 

fo\md(file,cd,on,backup,tape) is true, 

found(file,food,on,backup,tape) is true, 

found(file,inportant,on,backup,tape) is true, 

found(file,Is,on,backup,tape) is true, 

found(file,passwd,on,backup,tape) is true, 

found(file,secrets,on,backup,tape) is true, 

found(file,wag,on,backup,tape) is true, 

compared(file,cd,for,Trojan Horse,with,cd,on,backup,tape) is true, 
and compared(file,Is,for,Trojan Horse,with,Is,on,backup,tape) is true. 
Select an action: store backup tape 
You chose to store backup tape. 

OK. 

Congratulations! You have done the job. 

The session is over. Do "go." to restart. 

yes 

I ?- statistics. 


memory (total) 

4188640 bytes: 

2743656 in use. 

1444984 free 

progr^ml space 

2612592 bytes 



global space 

65532 bytes: 

26644 in use. 

38868 free 

global stack 


24516 bytes 


trail 


40 bytes 


system 


2088 bytes 


local stack 

65532 bytes: 

648 in use. 

64884 free 

local stack 


624 bytes 


system 


24 bytes 



67.000 sec. for 0 global and 45 local space shifts 

0.834 sec. for 3 garbage collections which collected 2905820 bytes 

87.633 sec. runtime 


TAB 2. RUN 2 


The following is the audit file used for Run 2: 


au<iit(davis,9,none,’login davis’.ok). 
audit(davis,14,davis,’cd -adams’,ok). 
audit(davis,21 ,adams,ls,ok). 
audit(davis,96,adams,’login adams’dail). 
audit(davis,108,adanis,’login adams’,ok). 
audit(adams,122,adams,’cd -adams’.ok). 
audit(adams,125^dams,’cd diradams’,ok). 
audit(evans,340,none,’loginevans’,ok). 
audit(adanis,5(X),diradams,’emacsauxb’,1229). 
audit(coleman,622,none,’login coleman’.fail). 
audit(evans,625,evans,’emacs csclass’^11). 
audit(coleman,632,none,’logincoleman’,f;^). 
audit(coleman,636,none,’logincoleman’,ok). 
audit(coleman,652,coleman,’cd-smith’,ok). 
audit(evans,655,evans,’mail root’,bad(cscl^s,evans)). 
audit(evans,657,evans,logout,ok). 
audit(farmer,668,farmer, ’cd -root/bin’,ok). 
audit(farmer,668,none,’login farmer’,okX 
audit(farmer,671 ,bin,ls,ok). 
audit(coleman,6^ .smith ,ls,ok). 
audit(farmer,687,bin,’cd -root’.ok). 
audit(faimer,707,root4s,ok). 
audit(fanner,711/oot,’Ioginroot’4^ail). 
audit(farmer,716,root,’login root’,fail). 
audit(farmer,720,root,’login root’,fail). 
audit(faimer,722,root,’login root’,fail). 
audit(coleman,729,smith,ls,ok). 
audit(farmer,733joot,’loginroot’,fail). 
audit(coleman,736,smith,’login smith’.ok). 
audit(farmer,747,root,’loginroot’,fail). 
audit(farmer,751 ,root,’login root’.ok). 
audit(root,7^,root,’cd etc’.ok). 

audit(root,788,etc,’cp passwd ~smith/dont_dare_look_at_this’,ok). 

audit(smith,819,smith,’emacs tmpl434’,344). 

audit(root,942,etc,’mail root’,’Captain Flash strikes again!!!!’). 

audit(root,947,etc,logout,ok). 

audit(smith, 1016,smith,’emacs tmp 1435’,362). 

audit(tom,l 122,none,’login tom’.ok). 

audit(tom,l 140,tom,’cd -adams’.ok). 

audit(tom,l 146,adams,’cd -doe’.ok). 

audit(tom,l 176,doe4s,ok). 

audit(adams,1233,diradams,’emacs auxc’,5221). 

audit(adams,1237,diradams4ogout,ok). 

audit(smith,1438,smith,’emacs tmpl436’,405). 

audit(smith,1444,smith,logout,ok). 

audit(tom,I754,doe,’emacs bigpaper’,30111). 

audit(tom,1759,doe,logout,ok). 

audit(doe,2414,none,’login doe’Jail). 

audit(doe,2421 ,doe,su,fail). 

audit(doe,2421,none,’login doe’.ok). 

audit(doe,2436,doe,su,fail). 

audit(doe,2444,doe,su,fail). 

audit(doe,2449,doe,su,ok). 

audit(doe,2467,doe,’c(l -adams’.ok). 
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audit(doe,2473,adams,ls,ok). 

audit(doe,2491,adams,’cd ~tom/ba\ok). 

audit(doe,2510,ba/cd ~dog’,ok). 

audit(doe,2522,dog,ls,ok). 

audit(doe,2529,dog/cd '-adams\ok). 

audit(doe,2536,adams,’cd -tom/ba\ok). 

audit(doe,2543,ba,’cd ~root/bin\ok). 

audit(doe,2546,bin,’cd '-evans/csclass\ok). 

audit(doe,2558,csclass,’cd ~davis\ok). 

audit(doe,2569,davis, ’cd -farmer’ ,ok). 

audit(doe,2583,farmer4s,ok). 

audit(doe,2596,farmer,’cd -adams’,ok). 

audit(doe,2615,adanis,’cd -tom/ba’,ok). 

audit(doe,2629,ba/cd bin’,ok). 

audit(doe,2632,bin,’cd -evans/csclass ’,ok), 

audi t(doe,2636,csclass, ’ cd -davis ’ ,ok). 

audit(doe,2643,davis,’cd -adanis/diradams’,ok). 

audit(doe,2646,diradams,’cd -graham’,ok), 

audit(doe,2670,graham,ls,ok). 

audit(doe,2687,adams,’cd -root’,ok). 

audit(doe,2687,graham,’cd -adams’,ok). 

audit(doe,2709,root,ls,ok). 

audit(doe,2720,root,’cd -adams’,ok). 

audit(doe,2911,adams,’cat auxa’,ok). 

audit(doe,2938,adams,’cat auxb’,ok). 

audit(doe,2979,none,’login doe’,fail). 

audit(doe,2981 ,none,’login doe’,ok). 

audit(doe,2982,doe,su,fail). 

audit(doe,2998,doe,su,fail). 

audit(doe,3007,doe,su,fail). 

audi t(doe,3 010 ,doe,su ,fail). 

audit(doe,3025,doe,su,fail). 

audi t(doe,3035,doe,su, fail). 

audit(doe,3046,doe,su,fail). 

audit(doe,3061 ,doe,su,fail). 

audit(doe,3080,doe,su,fail). 

audit(doe,3085,doe,su,fail). 

audit(doe,3104,doe,su,fail). 

audit(doe,3114,doe,su,fail). 

audit(doe,3132,adarns,’cat auxc’,ok). 

audit(doe,3133,doe,su,fail). 

audit(doe,3152,doe,su,fail). 

audit(doe,3163,doe,su,fail). 

audit(doe,3174,doe,su,fail), 

audit(doe,3186,doe,su,faiI). 

audit(doe,3187,doe,su,fail). 

audit(doe,3195,adarns,’cat diradams’,ok). 

audit(doe,3199,doe,su,fail). 

audit(doe,3204,adams,’cd -tom/ba’,ok). 

audit(doe,3207,doe,su,fail). 

audit(doe,3214,ba,’cd -graham’,ok). 

audit(doe,3214 ,doe,su ,fail). 

audit(doe,3217,doe,su,fail). 

audii(doe,3221 ,doe,su ,fail). 

audit(doe,3238,doe,su,failX 

audit(doe,3249,doe,su,fail). 

audit(doe,3253,doe,su,fail). 

audit(davis,3256,none,’login davis’,ok). 

audii(doe,3269,doe,su ,fail). 

audit(doe,3279,doe,su,ok). 

audit(doe,3283,doe,’cd -root/bin’,ok). 
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audit(doe,331 l,bin,ls,ok). 
audit(doe,3320,bin,’cdroot’,ok). 
audit(doe,33364‘oot,ls,ok). 
audit(doe,33504'oot,’cd -adams ’ ,ok). 
audit(doe,3360,adains,’cd ~toni/ba’,ok). 
audit(doe,3377,ba/cd~root/bin’,ok). 
audit(doe,3379,graham,’cat important’,ok). 
audit(doe,3390,graham,’cd -adams’,ok). 
audit(doe,3403,adains,’cd -farmer’,ok). 
audit(davis,3461,davis,’emacs goodnews’,1447). 
audit(davis,3467,davis,logout,ok). 
audit(doe,3512,fanner,’catsecrets’,ok). 
audit(doe,3 516,fanner4ogout,ok). 
audit(doe,3875,bin,’emacscd’,5038). 
audit(doe,4430,bin,’emacsls’,2121). 
audit(doe,5140,bin,’emacs please_run_me’422914). 
audit(doe,5141 ,bin,logout,ok). 
audit(doe,5147,bin,’login doe’,fail). 
audit(doe,5155,bin,’login doe’,failX 
audit(doe,5169,bin,’login doe’,fail). 
audit(doe,5176,bin,’login doe’.fail). 
audit(doe,5186,bin,’login doe’,fail). 
audit(doe,5192,bin,’login doe’,faiI). 
audit(doe,5193,bin,’login doe’,faiI). 
audit(doe,5203,bin,’login doe’.ok). 
audit(doe,5204,doe,’cd -root/bin’,ok). 
audit(doe,5272,bin,’emacs please_run_me’,22914). 
audit(doe,5275,bin,logout,ok). 
audit(adams,5832,none,’login adams’,fail). 
audit(adams,5839,none,’login adams’/ail). 
audit(adams,5846,none,’loginadams’,ok). 
audit(adams,5855,adams,’cd ~root/bin’,ok). 
audit(adams,5878,bin,ls,fail). 
audit(adams,5903,bin,ls,ok). 
audit(adams,5915,bin,’cd -adams’,ok). 
audit(adams,5920,adams,’cd ~tomA)a’,ok). 
audit(adams,5935,ba,’cd ~dog’,ok). 
audit(adams ,5957,dog,ls ,ok). 
audit(adams,5960,dog,’cd -adams’,ok). 
audit(adams,5978,adams,’cd ~tom’,ok). 
audit(adams,6016,tomjs4ail). 
audit(adams,6019,tom4s,ok). 
audit(adams ,6036,tom ,’cd -adams ’ ,ok). 
audit(adams,6052,adams,’cd -uri’,ok). 
audit(adams ,6086,uri,Is,ok). 
audil(adams,6090,uri,’cd -adams’,ok). 
audit(adams,6096,adams,’cd ba’,ok). 
audit(adams,6111 ,b^’cd ~root/bin’,ok). 
audit(adams,6114,bin,’cd -evans/cscIass’,ok). 
audit(adams,6116,csclass,’cd -tom ’ ,ok). 
audit(adams,6138,tom,’rm *’,ok). 
audit(adams,6297,tom,’maD tom’,’Haha ful’). 
audit(adams,6303,tom4ogout,ok). 
audit(davis,7582,none,’login davis’,ok). 
audit(smith,7867,none,’login smith’,ok). 
audit(smith,7872,smith,’cd ~adams’,ok). 
audit(sm ith ,7891 ,adams, ’cd -tom ’ ,ok). 
audit(davis,8012,davis,’emacs topsecret’,1572). 
audit(davis,8013,davis,logout,ok). 
audit(smith,8027,tom,’emacs bb’,451). 
audit(smith,8029,tom,’mail root’,bad(cd,bin)). 
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audit(smiih,8036,tom,logout,ok). 
audit(root,8573,none,’login root’.ok). 
audit(root,8586/oot,’cd-adanis’,ok). 
audit(root,8604^dams,’cd -root/bin’,ok). 
audit(root,8642,bin4s,ok). 
audit(root,8645,bin,’mail root’,bad(cd,bin)). 
audit(root,8654,bin,’cd~adanis’,ok). 
audit(root,8667^dams,’cd-tomA»a’,ok). 
audit(root,8684,ba,’cd ~root/bin’,ok). 
audit(root,8696,bin,’cd -graham’,ok). 
audit(root,8730,graham,ls,ok). 
audit(root,8826,grahamlogin graham ’ ,ok). 

audit(graham,9382,graham,’emacsimportant’,10219). 
audit(graham,9390,graham,logout,ok). 
audit(graham,9994,none,’login graham’,ok). 
audit(graham,9997,graham,’cd ~tom’,ok). 
audit(graham, 10033,tom,ls,ok). 
audit(graham,10037,tom,’emacs aa’,658). 
audit(graham, 10044,tom,logout,ok). 


The following is the script of Run 2: 


Script started on Wed Mar 15 22 j 33:52 1995 
.alias: No such file or directory. 

ai2;/users/work4/schiavo/Thesis/Tutor>>prolog 


Quintus Prolog Release 3.1.1 (Sun-4, SunOS 4.0) 

Copyright (C) 1990, Quintus Corporation. All rights reserved. 

2100 Gang Road, Palo Alto, California U.S.A. (415) 813-3800 

I 7- [intruder]. 

% compiling file /tmp_mnt/user8/work4/schiavo/Thesis/Tutor/intruder.pi 
% compiling file /tmp_mnt/users/worki/schiavo/Thesis/Tutor/metutorS0 .pi 

% Undefined procedures will just fail ('fail' option) 

% loading file /usr/local/q3.1.l/generic/qplib3. 1 . 1 /library/random.qof 
% foreign file /uar/looal/q3.1. l/generic/qplib3.1. l/library/8tin4-4/libpl. ao loaded 

% random.qof loaded, 0.100 sec 9,392 bytes 
% module random imported into user 

Clauses for writefact/2 are not together in the source file 
% metutor30.pl compiled in module user, 3.016 sec 50,420 bytes 

% compiling file /tmp^mnt/users/work4/schiavo/Thesis/Tutor/modrowo5 

% modroweS compiled in module user, 0.633 sec 14,724 bytes 

% compiling file /tirp_mnt/users/work4/schiavo/Thesis/Tutor/filetree 

% filetree compiled in module user, 0.433 sec 5,296 bytes 

% conpiling file /tmp_mnt/users/work4/8chiavo /The sis /Tut or/rules 

Clauses for behavior/5 are not together in the source file 

* Clauses for behavior/4 are not together in the source file 
% rules compiled in module user, 0.616 sec 7,440 bytes 

% conpiling file /tmp^mnt/users/work4/schiavo/Thesis/Tutor/rowefiles 

% rowefiles coxtpiled in module user, 0.100 sec 4,252 bytes 

% conpiling file /tirp_mnt/users/work4/8chiavo/Thesis /Tut or/operators 

* Clauses for recommended/3 are not together in the source file 

* Clauses for recommended/2 are not together in the source file 
Clauses for addpostcondition/2 are not together in the source file 

% operators compiled in module user, 0.600 sec 8,308 bytes 
% intruder.pl coiipiled in module user, 6.283 sec 101,320 bytes 
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yes 




1 7- statistics. 




memory (total) 

649696 bytes: 

464956 in use. 

184740 free 

program space 

333892 bytes 



global space 

65532 bytes: 

26686 in use. 

38844 free 

global stack 


24584 bytes 


trail 


16 bytes 


system 


2088 bytes 


local stack 

65532 bytes: 

440 in use. 

65092 free 

local stack 


416 bytes 


system 


24 bytes 



0.000 sec. for 0 global and 3 local space shifts 

0.000 sec. for 0 garbage collections which collected 0 bytes 

6.566 sec. runtime 

yes 

I 7- start. 

******************************************************************************* 


AUDIT FILE 

The following displays the current contents of the audit file: 




K2uiie 

Time 

Path 

Command 

Result 

adams 

122 

adams 

cd '^ademis 

ok 

adeons 

125 

adams 

cd diradams 

ok 

adams 

500 

diradeuns 

emacs auxb 

1229 

adams 

1233 

diradams 

eroacs auzc 

5221 

adams 

1237 

diradams 

logout 

ok 

adams 

5832 

none 

login adeuns 

fail 

adams 

5839 

none 

login adams 

fail 

adams 

5846 

none 

login ad 2 uas 

ok 

adams 

5855 

adams 

cd -root/bin 

ok 

adams 

5878 

bin 

Is 

fail 

adams 

5903 

bin 

Is 

ok 

Adams 

5915 

bin 

cd -adams 

ok 

adams 

5920 

adams 

cd -tom/ba 

ok 

adams 

5935 

ba 

cd -dog 

ok 

adams 

5957 

dog 

Is 

ok 

adams 

5960 

dog 

cd -adeuns 

ok 

adams 

5978 

adams 

cd -tom 

ok 

adams 

6016 

tom 

Is 

fail 

adams 

6019 

tom 

Is 

ok 

adams 

6036 

tom 

cd -adams 

ok 

adams 

6052 

adams 

cd -uri 

ok 

adams 

6066 

uri 

Is 

ok 

adams 

6090 

uri 

cd —adams 

ok 

adams 

6096 

adeons 

cd ba 

ok 

adams 

6111 

ba 

cd -root/bin 

ok 

adams 

6114 

bin cd 

-evans/csclass 

ok 

adams 

6116 

csclass 

cd -tom 

ok 

adams 

6138 

tom 

rm * 

ok 

adams 

6297 

tom 

mail tom 

Haha ful 

adams 

6303 

tom 

logout 

ok 
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Coleman 

622 

none 

login coleman 

fail 

coleznan 

632 

none 

login coleman 

fail 

coleman 

636 

none 

login coleman 

ok 

Coleman 

652 

coleman 

cd -smith 

ok 

coleman 

684 

smith 

Is 

ok 

coleman 

729 

smith 

Is 

ok 

coleman 

736 

smith 

login smith 

ok 

davis 

9 

none 

login davis 

ok 

da vis 

14 

davis 

cd -adams 

ok 

davis 

21 

adeuns 

Is 

ok 

davis 

96 

adams 

login ad^UIls 

fail 

davis 

108 

adams 

login adams 

ok 

davis 

3256 

none 

login davis 

ok 

davis 

3461 

davis 

emacs goodnews 

1447 

davis 

3467 

davis 

logout 

ok 

davis 

7582 

none 

login davis 

ok 

davis 

8012 

davis 

emacs topsecret 

1572 

davis 

8013 

davis 

logout 

ok 

doe 

2414 

none 

login doe 

fail 

doe 

2421 

doe 

su 

fail 

doe 

2421 

none 

login doe 

ok 

doe 

2436 

doe 

su 

fail 

doe 

2444 

doe 

su 

fail 

doe 

2449 

doe 

su 

ok 

doe 

2467 

doe 

cd -adams 

ok 

doe 

2473 

adams 

Is 

ok 

doe 

2491 

adams 

cd -tom/ba 

ok 

doe 

2510 

ba 

cd -dog 

ok 

doe 

2522 

dog 

Is 

ok 

doe 

2529 

dog 

cd -adams 

ok 

doe 

2536 

adams 

cd -tom/ba 

ok 

doe 

2543 

ba 

cd -root/bin 

ok 

doe 

2546 

bin cd 

-evems/csclass 

ok 

doe 

2558 

csclass 

cd -davis 

ok 

doe 

2569 

davis 

cd -farmer 

ok 

doe 

2583 

farmer 

Is 

ok 

doe 

2596 

farmer 

cd -adams 

ok 

doe 

2615 

adams 

cd -tom/ba 

ok 

doe 

2629 

ba 

cd bin 

ok 

doe 

2632 

bin cd 

-ovans/csclass 

ok 

doe 

2636 

csclass 

cd -davis 

ok 

doe 

2643 

davis cd •-adams /diradams 

ok 

doe 

2646 

diradams 

cd -graham 

ok 

doe 

2670 

graham 

Is 

ok 

doe 

2687 

adams 

cd -root 

ok 

doe 

2687 

graham 

cd -adams 

ok 

doe 

2709 

root 

Is 

ok 

doe 

2720 

root 

cd -adams 

ok 

doe 

2911 

adeuos 

cat aura 

ok 

doe 

2938 

adams 

cat aurb 

ok 

doe 

2979 

none 

login doe 

fail 

doe 

2981 

none 

login doe 

ok 

doe 

2982 

doe 

su 

fail 

doe 

2998 

doe 

su 

fail 

doe 

3007 

doe 

su 

fail 

doe 

3010 

doe 

su 

fail 

doe 

3025 

doe 

su 

fail 

doe 

3035 

doe 

su 

fail 

doe 

3046 

doe 

su 

fail 

doe 

3061 

doe 

su 

fail 

doe 

3080 

doe 

su 

fail 


doe 

3085 

doe 

su 

fail 

doe 

3104 

doe 

8U 

fail 

doe 

3114 

doe 

8U 

fail 

doe 

3132 

adeons 

cat axixc 

ok 

doe 

3133 

doe 

su 

fail 

doe 

3152 

doe 

su 

fail 

doe 

3163 

doe 

su 

fail 

doe 

3174 

doe 

su 

fail 

doe 

3186 

doe 

su 

fail 

doe 

3187 

doe 

su 

fail 

doe 

3195 

adeuns 

cat diradeuns 

ok 

doe 

3199 

doe 

su 

fail 

doe 

3204 

adams 

cd -tom/ba 

ok 

doe 

3207 

doe 

su 

fail 

doe 

3214 

ba 

cd ^grah 2 un 

ok 

doe 

3214 

doe 

su 

fail 

doe 

3217 

doe 

su 

fail 

doe 

3221 

doe 

su 

fail 

doe 

3238 

doe 

su 

fail 

doe 

3249 

doe 

su 

fail 

doe 

3253 

doe 

su 

fail 

doe 

3269 

doe 

su 

fail 

doe 

3279 

doe 

su 

ok 

doe 

3283 

doe 

cd -root/bin 

ok 

doe 

3311 

bin 

Is 

ok 

doe 

3320 

bin 

cd root 

ok 

doe 

3336 

root 

Is 

ok 

doe 

3350 

root 

cd -adams 

ok 

doe 

3360 

adams 

cd -tom/ba 

ok 

doe 

3377 

ba 

cd -root/bin 

ok 

doe 

3379 

graham 

cat importemt 

ok 

doe 

3390 

graheun 

cd -adacns 

ok 

doe 

3403 

adams 

cd -farmer 

ok 

doe 

3512 

farmer 

cat secrets 

ok 

doe 

3516 

farmer 

logout 

ok 

doe 

3875 

bin 

emacs cd 

5038 

doe 

4430 

bin 

emacs Is 

2121 

doe 

5140 

bin emacs 

pleas e_run_me 

22914 

doe 

5141 

bin 

logout 

ok 

doe 

5147 

bin 

login doe 

fail 

doe 

5155 

bin 

login doe 

fail 

doe 

5169 

bin 

login doe 

fail 

doe 

5176 

bin 

login doe 

fail 

doe 

5186 

bin 

login doe 

fail 

doe 

5192 

bin 

login doe 

fail 

doe 

5193 

bin 

login doe 

fail 

doe 

5203 

bin 

login doe 

ok 

doe 

5204 

doe 

cd -root/bin 

ok 

doe 

5272 

bin emacs 

please_run_me 

22914 

doe 

5275 

bin 

logout 

ok 

evans 

340 

none 

login evans 

ok 

evans 

625 

evans 

emacs csclass 

511 

evans 

655 

evems 

mail root 

bad(csclass,evans) 

evans 

657 

evans 

logout 

ok 

farmer 

668 

farmer 

cd -root/bin 

ok 

farmer 

668 

none 

login farmer 

ok 

farmer 

671 

bin 

Is 

ok 

farmer 

687 

bin 

cd -root 

ok 

farmer 

707 

root 

Is 

ok 

farmer 

711 

root 

login root 

fail 

farmer 

716 

root 

login root 

fail 
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farmer 

720 

root 

login root 

fail 

farmer 

722 

root 

login root 

fail 

farmer 

733 

root 

login root 

fail 

farmer 

747 

root 

login root 

fail 

farmer 

751 

root 

login root 

ok 

graham 

9382 

graham 

emacs important 

10219 

graham 

9390 

graham 

logout 

ok 

graham 

9994 

none 

login grsdiam 

ok 

graham 

9997 

graham 

cd -tom 

ok 

grah 2 un 

10033 

tom 

Is 

ok 

graham 

10037 

tom 

emacs aa 

658 

graham 

10044 

tom 

logout 

ok 

root 

760 

root 

cd etc 

ok 

root 

788 

etccp passwd -smith/dont_dare_look_at this ok 

root 

942 

etc 

mail root 

Captain Flash strikes again!!!! 

root 

947 

etc 

logout 

ok 

root 

8573 

none 

login root 

ok 

root 

8585 

root 

cd >-adam8 

ok 

root 

8604 

adeuns 

cd -root/bin 

ok 

root 

8642 

bin 

Is 

ok 

root 

6645 

bin 

mail root 

bad(cd,bin) 

root 

8654 

bin 

cd -adeuna 

ok 

root 

8667 

adams 

cd -tom/ba 

ok 

root 

8684 

ba 

cd -root/bin 

ok 

root 

8696 

bin 

cd -grediam 

ok 

root 

8730 

graheua 

Is 

ok 

root 

8826 

graham 

login graheon 

ok 

smith 

819 

smith 

emacs tiipl434 

344 

smith 

1016 

smith 

emacs tmpl435 

362 

smith 

1438 

smith 

emacs tnpl436 

405 

smith 

1444 

smith 

logout 

ok 

smith 

7867 

none 

login smith 

ok 

smith 

7872 

smith 

cd adams 

ok 

smith 

7891 

adams 

cd -tom 

ok 

smith 

8027 

tom 

emacs bb 

451 

smith 

8029 

tom 

mail root 

bad(cd,bin) 

smith 

8036 

tom 

logout 

ok 

tom 

1122 

none 

login tom 

ok i 

tom 

1140 

tom 

cd -adeuns 

ok 

tom 

1146 

adams 

cd -doe 

ok 

tom 

1176 

doe 

Is 

ok 

tom 

1754 

doe 

emacs bigpaper 

30111 

tom 

1759 

doe 

logout 

^ ^ ^ 4 ^ ^ ^ A ^ A ^ A A ^ ^ ^ 

ok 

* 

* 

• 



MAIL RECEIVED 

* 

* 

* The 

* 

following 

displays 

mail received by : 

* 

root: * 

* 



Prom 

To 

Time 

Problem(File,Directory) 

evans 

root 

655 

bad(csclasB,evans) 

root 

root 

942 

Captain Flash strikes again 

root 

root 

8645 

bad(cd,bin) 

smith 

root 

8029 

bad(cd,bin) 
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% Undefined procedures will 
Warnings: 

This fact is not removable: 
This fact is not removable: 
This fact is not removable: 
This fact is not removable: 
This fact is not removable: 
This fact is not removable: 
This fact is not removable: 
This fact is not removable: 
This fact is not removable: 


just fail ('fail' option) 

changed(password,root) 
confronted(user,_12829) 
examined(pas sword,_12 7 6 3) 
executed(password,cracker) 
investigated(password,_12742) 
changed(password,for,_12700) 
changed(permis8ions,file,_12872) 
restored(password,for,_12808) 
is sued(new,pas sword,to,_12 786) 


Your objectives: 

backup tape is stored emd password cracker is executed. 
Wait a moment while I analyze the problem thoroughly. 


*********************************************************************** 
* * 

* To see a list of possible actions, type the letter "h" or the word * 

* "help." To review the audit file or your mail at anytime, type the * 

* word "auditfile" or "mail" respectively. * 

* * 


Type h for help. 

************ These facts are now true: ************* 
bac]cup tape is stored, 

mail(ovans,root,655,bad(csclas8,evans)) is true, 

mail(root,root,942,Captain Flash strikes again!!!!) is true, 

mail(root,root,8645,bad(cd,bin)) is true, 

and mail(smith,root,8029,bad(cd,bin)) is true. 

Select an action: execute password cracker 
You chose to execute password cracker. 

OK, but a hint: "chemge permissions file passwd" 
is more in^KDrtant now than "execute password cracker". 

************ These facts are now true: ************* 
password cracker is executed, 
baclcup tape is stored, 

knowndnsecure,password, for,_201271) is true, 

known(insecure,password,for,_201278) is true, 

known(insecure,pa8sword,for,_201285) is true, 

known(in8ecure,password,for,_201292) is true, 

mail(evans,root,655,bad (CSC lass,evans)) is true, 

mail(root,root,942,Captain Flash strikes again!!!!) Is true, 

mail(root,root,8645,bad(cd,bin)) is true, 

and mail (smith,root,8029,bad(cd,bin) } is true. 

Select an action: change permissions file passwd 
You chose to change permissions file passwd. 

>>>>Operator change(permissions,file,passwd) could not bo applied to: 
password cracker is executed, 
backup tape is stored, 

known (insecure, pas 8 word, for, adeuQs) is true, 

known(insecure,pa88word,for,farmer) is true, 

known(insecure,password,for,graham) is true, 

known(insecure,pa8sword,for,smith) is true, 

mail(evans,root,655,bad (CSC las8,evans)) is true, 

mail(root,root,942,Captain Flash strikes again!!!!) is true, 

mail(root,root,8645,bad(cd,bin)) is true, 

and mail(smith,root,8029,bad(cd,bin)) is true 

>>>>Operator change(permissions,file,passwd) could not be applied to: 
password cracker is executed, 
bac)cup tape is stored. 
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known(insecure,password,for,adams) is true, 

known(insecure,password,for,fanner) is true, 

known (insecure, pas sword, for, gredxam) is true, 

known{in8ecure,pa8sword, for, smith) is true, 

mail(evans,root,655,bad(csclass,evans)) is true, 

mail(root,root,942,Captain Flash strikes again!!!]) is true, 

mail(root,root,8645,bad(cd,bin)) is true, 

tmd maiKsmith,root, 8029,bad(cd,bin)) is true 

Have you confused that with the check permissions file passwd action? 

That action requires that: 

checked(penniesions,file,passwd) is true. 

************ These facts are now true: ************* 
password cracker is executed, 
backup tape is stored, 

known(insecure,password,for,_208775) is true, 
known(insecure,password,for,_208782) is true, 
knowndnsecure,password,for,_208789) is true, 
known(insecure,password,for,_208796) is true, 
mail(evans,root,655,bad(csclas8,evans)) is true, 

,root, 942 ,Captain Flash strikes again!!!!) is true, 
mail(root,root, 8645, bad(cd,bin)) is true, 
and niail (smith,root, 8029, bad(cd,bin)) is true. 

Select an action: check permissions file passwd 
You chose to check permissions file passwd. 

OK. 

************ These facts are now true: ************* 

password cracker is executed, 

backup tape is stored, 

checked(permissions,file,passwd) is true, 

known (insecure, password, for, adeuns) is true, 

known(insecure,pas8word, for, fanner) is true, 

)cnown(in8ecure,password,for,graham) is true, 

known(insecure,pa8sword,for,smith) is true, 

mail(evans,root, 655, bad(csclass,evans)) is true, 

mail(root,root,942,Captain Flash strikes again!!!!) is true, 

maiKroot,root,8645,bad(cd,bin) ) is true, 

and maiKsmith,root,8029,bad(cd,bin) ) is true. 

Select an action: change permissions file passwd 
You chose to change permissions file passwd. 

OK. 

************ facts are now true: ************* 

password cracker is executed, 
backup tape is stored, 

changed(permi8sions,file,passwd) is true, 
checked(permi8sions,file,passwd) is true, 

)cnown(in8ecure,pa8 8word,for,adams) is true, 
known(in8ecure,pas8word,for,farmer) is true, 
known(insecure,password,for,graham) is true, 
known(in8ecure,pa8sword,for,smith) is true, 
mail(evans,root, 655 ,bad(csclass,evans)) is true, 
mail(root,root, 942, Captain Flash strikes again!!!!) is true, 
inail(root,root, 8645, bad(cd,bin)) is true, 
and mail(smith,root, 8029, bad(cd,bin)) is true. 

Select an action: cheinge password for adeuns 
You chose to change password for Adams. 

OK, but a hint: "change root password" 
is more inportant now than "change password for adams". 

************ facts are now true: ************* 

password cracker is executed, 

backup tape is stored, 

changed(password,for,adams) is true. 
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changed(permissions,file,passwd) is true, 
checked(permissions,file,passwd) is true, 
knovm. (ins e cure, pas sword, for, adams) is tnie, 
known(insecure,paSBword,for,farmer) is true, 

)cnown( insecure, pas sword, for, graham) is true, 

)cnown(insecure,password,for,smith) is true, 

mail(evans,root,655,bad{csclass,evans)) is true, 

mail(root,root,942,Captain Flash strikes again!!!!) is true, 

mail(root,root,8645,bad(cd,bin)) is true, 

and mail(smith,root,8029,bad(cd,bin)) is true. 

Select an action: chemge root password 
You chose to change root password. 

OK. 

************ Those facts are now true: ************* 

password root is changed, 

password cracker is executed, 

backup tape is stored, 

changed (password, for, adzuns) is true, 

changed(permissions,file,passwd) is true, 

checked(permissions,file,passwd) is true, 

]uiown(insecure,password,for,adams) is true, 

)cnown(insecure,password, for, farmer) is true, 

)aiown(insecure,password,for,graham) is true, 

)cnown(insecure,pas8word, for, smith) is true, 

mail(evans,root,655,bad(cscla8s,evzais)) is true, 

mail(root,root,942,Captain Flash strikes again!!!!) is true, 

mail(root,root,8645,bad(cd,bin)) is true, 

and mail(smith,root,8029,bad(cd,bin)) is true. 

Select zm. action: chzmge password for farmer 
You chose to change password for farmer. 

OK, but a hint: "compare file cd for Trojzm Horse with cd on baclcup tape" 
is more inportzmt now thzin "chzmge password for farmer". 

************ These facts are now true: ************* 

password root is changed, 

password cracker is executed, 

bac)aip tape is stored, 

changed (password, for, adzuns) is true, 

chzmged(password,for,farmer) is true, 

changed(permissions,file,passwd) is true, 

checked(permissions,file,passwd) is true, 

)cnown( in secure, pa 8 sword, for, adzuns) is true, 

)cnown(insecure,password,for,farmer) is true, 

)cnown (insecure, pas sword, for, grziham) is true, 

known (insecure, pas sword, for, smith) is true, 

mail (evzms,root,655,bad(c8class,evans)) is true, 

mail(root,root,942,Captain Flash strikes again!!!!) is true, 

mail(root,root,8645,bad(cd,bin)) is true, 

and mail(smith,root,8029,bad(cd,bin)) is true. 

Select zm action: loacte baclcup tape 
You chose to loacte bac)cup tape. 

1 assume you mezm locate bac]cup tape. 

OK. 

************ These facts are now true: **♦♦♦*****♦♦* 

password root is chzmged, 

password cracker is executed, 

bac)cup tape is located, 

changed(password,for,adams) is true, 

chzmged(password,for,farmer) is true, 

changed(permissions,file,passwd) is true, 

checked(permissions,file,passwd) is true, 

)cnown(insecure,pa8 8word, for,adams) is true. 
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)cnowii(iii8©cure,password, for, farmer) is true, 
known(insecure,password,for,graham) is true, 
known(insecure,password,for,smith) is true, 
mail(©vans,root,655,bad(csclass,evans)) is true, 

»i"oot, 942, Captain Flash strikes again!!!!) is true, 

mail(root,root, 8645, bad(cd,bin)) is true, 
and maiKsmith,root, 8029, bad(cd,bin)) is true. 

Select an action: load backup tape 
You chose to load backup tape. 

OK. 

************ These facts are now true: ************* 

password root is changed, 

password cracker is executed, 

backup tape is loaded, 

backup tape is located, 

changed(password,for,adams) is true, 

changed(password,for,farmer) is true, 

changed(permissions,file,passwd) is true, 

checked(p©rmi88ions,file,passwd) is true, 

known (insecure, pas sword, for, adeims) is true, 

)cnown( insecure, pas sword, for, farmer) is true, 

known(ins©cure,password,for,graham) is true, 

known(ins©cure,password,for,smith) is true, 

mail(evans,root,655,bad(csclass,©vans)) is true, 

mail(root,root,942,Captain Flash strikes again!!!!) is true, 

mail(root,root,8645,bad(cd,bin)) is true, 

and mail(smith,root,8029,bad(cd,bin)) is true. 

Select an action: find file cd on backup tape 
You chose to find file cd on backup tape. 

OK. 

************ facts are now true: ************* 

password root is changed, 
password cracker is executed, 
backup tap© is loaded, 
backup tap© is located, 
changed(password,for,adams) is true, 
changed(password,for,farmer) is true, 
changed(permissions,file,passwd) is true, 
checked(permissions,file,passwd) is true, 

)cnown( ins ©cure, pas sword, for, adams) is true, 

known(insecure,password,for,farmer) is true, 

known(ins©cure,password,for,graham) is true, 

known(ins©cure,password,for,smith) is true, 

mail(evans,root,655,bad(csclass,evans)) is true, 

mail(root,root,942,Captain Flash strikes again!!!!) is true, 

mail(root,root,8645,bad(cd,bin)) is true, 

mail(smith,root,8029,bad(cd,bin)) is true, 

and found(file,cd,on,backup,tape) is true. 

Select an action: compare file cd for Trojan Horse with cd on backup tape 
You chose to compare file cd for Trojan Horse with cd on backup tape. 

OK. 

************ These facts are now true: ************* 

password root is changed, 
password cracker is executed, 
bac)cup tape is loaded, 
backup tap© is located, 
changed(password,for,adams) is true, 
changed(password,for,farmer) is true, 
changed(permissions,file,passwd) is true, 
checked(permissions,file,passwd) is true, 
known(ins©cure,password,for,adams) is true. 


102 








known(insecure,password,for,farmer) is true, 

]cnown( ins e cure, pas sword, for, grali 2 aa) is true, 

known(insecure,password,for,smith) is true, 

mail(eveLns,root,655,bad(c8class,evans)) is true, 

mail(root,root,942,Captain Flash strikes again!i!!) is true, 

mail(root,root,8645,bad(cd,bin)) is true, 

mail(smith,root,8029,bad(cd,bin)) is true, 

found(file,cd,on,backup,tape) is true, 

and compared(file,cd,for,Trojam Hor8e,with,cd,on,backup,tape) is true. 
Select am action: find file Is on bac)cup tape 
You chose to find file Is on backup tape. 

OK. 

************ Tiiese facts are now true: ************* 

password root is changed, 

password cracker is executed, 

backup tape is loaded, 

backup tape is located, 

changed(password,for,adams) is true, 

changed(password,for,farmer) is true, 

changed(permissions,file,passwd) is true, 

checked(permissions,file,pa8swd) is true, 

known (insecure, password, for, adauas) is true, 

known(insecure,password,for,farmer) is true, 

known(insecure,password,for,grahaun) is true, 

known(insecure,password,for,smith) is true, 

mail(evams, root,655, bad(c8cla8S, evams)) is true, 

mail(root,root,942,Captain Flash strikes again!!!!) is true, 

maiKroot,root, 8645,bad(cd,bin)) is true, 

mail(smith,root,8029,bad(cd,bin)) is true, 

found(file,cd,on,backup,tape) is true, 

found(file,l8,on,bac}cup,tape) is true, 

and compared (file, cd, for, Trojan Hor8e,with, cd,on,baclcup, tape) is true. 
Select am action: compare file Is for Trojam Horse with Is on backup tape 
You chose to compare file Is for Trojam Horse with Is on backup tape. 

OK. 

************ These facts are now true: ************* 

password root is changed, 

password cracker is executed, 

baclcup tape is loaded, 

bac]cup tape is located, 

changed (password, for, adauns) is true, 

changed(password,for,farmer) is true, 

chamged(permissions,file,passwd) is true, 

checked(permissions,file,passwd) is true, 

known (insecure, pas sword, for, adauns) is true, 

known(insecure,password,for,farmer) is true, 

known(insecure,pa8sword,for,graihaun) is true, 

]cnown(insecure,pa8sword,for,smith) is true, 

mail(evan8,root,655,bad(csclas8,evam8)) is true, 

mail(root,root,942,Captain Flash strikes again!!!!) is true, 

mail(root,root,8645,bad(cd,bin)) is true, 

mail(smith,root,6029,bad(cd,bin)) is true, 

fo\md(file,cd,on,bac)cup,tape) is true, 

found(file,ls,on,bac]cup,tape) is true, 

compared(file,cd,for,Trojan Hor8e,with,cd,on,backup,tape) is true, 
and compared(file,Is,for,Trojan Horse,with,Is,on,backup,tape) is true. 
Select am action: change password for graham 
You chose to change password for gradiaun. 

OK, but a hint: "confront user doe" 
is more importamt now than "change password for graiham". 

************ These facts are now true: ************* 
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password root is changed, 

password cracker is executed, 

backup tape is loaded, 

backup tape is located, 

changed(password,for,adams) is true, 

changed(password,for,fanner) is true, 

changed (password, for, graJiam) is true, 

changed(permis8ion8,file,passwd) is true, 

checked(ponnissions,file,passwd) is true, 

known(insecure,pa88word,for,adams) is true, 

known(insecure,password,for,farmer) is true, 

known(insecure,password,for,graham) is true, 

known(insecure,pas8word,for,smith) is true, 

mail(evans,root,655,bad(cscla88,evans)) is true, 

niail (root, root, 942, Captain Flash strikes again!!!!) is true, 

mail(root,root,8645,bad(cd,bin)) is true, 

mail(smith,root,8029,bad(cd,bin)) is true, 

found(file,cd,on,backup,tape) is true, 

found(file,Is,on,backup,tape) is true, 

coinpared(file,cd,for,Troj 2 m Horse,with,cd,on,backup,tape) is true, 
and coirpared(file,Is,for,Trojan Horse,with,Is,on,backup,tape) is true. 
Select an action: confront user doe 
You chose to confront user doe. 

OK. 

************ These facts are now true: ************* 

password root is changed, 

user doe is confronted, 

password cracker is executed, 

backup tape is loaded, 

backup tape is located, 

changed(password,for,adams) is true, 

changed(password,for,farmer) is true, 

changed(password,for,graham) is true, 

changed(permissions,file,passwd) is true, 

checked(permissions,file,passwd) is true, 

known(insecure,pas8Word,for,adams) is true, 

known(insecure,password,for,farmer) is true, 

)cnown(insecure,pa88word, for, graham) is true, 

known(insecure,pa8sword,for,smith) is true, 

mail(ev2ms,root,655,bad(csclass,evzms)) is true, 

mail(root,root,942,Captain Flash strikes again!!!!) is true, 

mail(root,root,8645,bad(cd,bin)) is true, 

mail(smith,root,8029,bad(cd,bin)) is true, 

found(file,cd,on,backup,tape) is true, 

found(file,Is,on,backup,tape) is true, 

compar6d(file,cd,for,Trojan Horse,with,cd,on,backup,tape) is true, 
and con^jared(file,Is,for,Trojan Horse,with,Is,on,backup,tape) is true. 
Select an action: change password for smith 
You chose to change password for smith. 

OK, but a hint: "restore modified file cd from backup" 
is more important now than "chemge password for smith", 

************ These facts are now true: ************* 

password root is changed, 

user doe is confronted, 

password cracker is executed, 

backup tape is loaded, 

backup tape is located, 

changed(password,for,adams) is true, 

changed(password,for,farmer) is true, 

changed(password,for,graham) is true, 

changed(password,for,smith) is true. 
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changed(permissions,file,pas8wd) is true, 

checked(permis8ions,file,passwd) is true, 

known(insecure,pas8word,for,adeuns) is true, 

known(insecure,password,for,farmer) is true, 

known(insecure,password,for,graham) is true, 

known(insecure,password,for,smith) is true, 

mail (evans, root, 655,bad(csclass,eveins) ) is true, 

mail(root,root,942,Captain Flash strikes againi!!!) is true, 

mail(root,root,8645,bad(cd,bin)) is true, 

mail(smith,root,8029,bad(cd,bin)) is true, 

fo\md(file,cd,on,backup,tape) is true, 

found(file,Is,on,backup,tape) is true, 

coznpared(file,cd,for,Trojan Bor8e,with,cd,on,backup,tape) is true, 
and con^ared(file,Is,for,Trojan Horse,with,Is,on,backup,tape) is true. 
Select an action: restore modified file cd from backup 
You chose to restore modified file cd from backup. 

OK. 

************ These facts are now true: ************* 

password root is changed, 

user doe is confronted, 

password cracker is executed, 

backup tape is loaded, 

backup tape is located, 

file cd is restored, 

changed(password,for,adams) is true, 

changed(password,for,farmer) is true, 

changed (pas sword, for, grahzan) is true, 

changed(password,for,smith) is true, 

changed(permissions,file,passwd) is true, 

checked(permissions,file,passwd) is true, 

known(insecure,pas8word,for,adams) is true, 

known(insecure,pas8word,for,farmer) is true, 

known(insecure,password,for,graham) is true, 

known(insecure,password,for,smith) is true, 

mail(ev2ui8,root,655,bad(c8class,evan8)) is true, 

mail(root,root,942,Captain Flash strikes again!!1!) is true, 

mail(root,root,8645,bad(cd,bin)) is true, 

mail(smith,root,8029,bad(cd,bin)) is true, 

found(file,cd,on,backup,tape) is true, 

fo\xnd(file,Is,on,backup,tape] is true, 

conpared(file,cd,for,Trojem Horse,with,cd,on,backup,tape) is true, 

and coiDpared(file. Is,for,Trojem Horse,with. Is,on,backup,tape) is true. 

Select an action: h 

Possible actions are: 

change root password, 

confront user _498410, 

execute password cracker, 

load backup tape, 

locate backup tape, 

store backup tape, 

change password for _496436, 

change permissions file passwd, 

check permissions file _498448, 

examine user password _498454, 

investigate user password _498460, 

issue _498464 new user password, 

remove Trojan Horse from _498474, 

restore user password for _498481, 

find file _498486 on backup tape, 

restore deleted file _498495 from backup, 

restore modified file _498503 from bac)cup. 
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restore modified file passwd from backup, 

and con^jare file _-d98518 for Trojan Horse with _498518 on backup tape. 

Possible commands to the tutor are: 

help, 

exit, 

auditfile, 
and mail. 

Your objectives are: 

password cracker must be executed and baclcup tape must be stored. 

************ These facts are now true: ************* 

password root is changed, 

user doe is confronted, 

password cracker is executed, 

backup tape is loaded, 

backup tape is located, 

file cd is restored, 

changed (pas 8 word, for, adeuns) is true, 

changed(password,for,farmer) is true, 

changed (password, for, grahaun) is true, 

changed(password,for,smith) is true, 

changed(permissions,file,passwd) is true, 

checked(permissions,file,passwd) is true, 

Icnown (insecure, pas sword, for, adams) is true, 

known(insecure,password,for,farmer) is true, 

known(insecure,password,for,graham) is true, 

known(in8ecure,pas8word,for,smith) is true, 

mail(evans,root,655,bad(cscla8s,evans)) is true, 

mail(root,root,942,Captain Flash strikes again!!!!) is true, 

n^il(root,root,8645,bad(cd,bin)) is true, 

mail(smith,root,8029,bad(cd,bin)) is true, 

found(file,cd,on,backup,tape) is true, 

found(file,la,on,backup,tape) is true, 

coir5)ared(file,cd,for,Trojan Horse,with,cd,on,backup,tape) is true, 
and conpared(file,Is,for,Trojan Horse,with,Is,on,backup,tape) is true. 
Select an action: find file bb on backup tape 
You chose to find file bb on backup tape* 

Have you confused that with the find file aa on backup tape action? 

OK, but a hint: "restore deleted file aa from backup" 
is more iir^jortant now than "restore deleted file bb from backup". 
************ facts are now true: ************* 

password root is changed, 
user doe is confronted, 
password cracker is executed, 
baclcup tape is loaded, 
backup tape is located, 
file cd is restored, 
changed(password,for,adams) is true, 
changed(password,for,farmer) is true, 
changed (password, for, graheun) is true, 
changed(password,for,smith) is true, 
changed(permissions,file,passwd) is true, 
checked(permissions,file,passwd) is true, 
known(insecure,password,for,adams) is true, 
known(insecure,pas8word,for,farmer) is true, 

)cnown(insecure,pa8sword, for,graham) is true, 

known(in8ecure,password,for,smith) is true, 

mail(evans,root,655,bad(csclass,evans)) is true, 

mail(root,root,942,Captain Flash strikes again!!!!} is true, 

mail(root,root,8645,bad(cd,bin)) is true, 

mail(smith,root,8029,bad(cd,bin)) is true, 

found(file,bb,on,backup,tape) is true. 
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foimd(flie/Cd,on/backup/tape) is true, 
found(file/Is/OH/backup/tape) is true, 

compared(flie/cd/for/Trojan Horso/With/Cd/on/backup/tape) is true/ 
and compared(file/Is/for/Trojan Horse/With/Is/on/backup/tape) is true. 
Select an action: find file aa on backup tape 
You chose to find file aa on backup tape. 

OK. 

************ These facts are now true: ************* 

password root is changed/ 

user doe is confronted, 

password cracker is executed, 

backup tape is loaded, 

backup tape is located, 

file cd is restored, 

changed (password, for, adeons) is true, 

changed(password,for,fanner) is true, 

changed (pas sword, for, graheun) is true, 

changed(password,for,smith) is true, 

changed(permissions,file,passwd) is true, 

checked(permissions,file,passwd) is true, 

known(insecure,password,for,adams) is true, 

known(insecure,password,for,farmer) is true, 

known(insecure,password,for,graham) is true, 

known(insecure,password,for,smith) is true, 

mail(evan8,root,655,bad(cscla8s,evans)) is true, 

mail(root,root,942,Captain Flash strikes again!!!!) is true, 

mail(root,root,8645,bad(cd,bin)) is true, 

mail(smith,root,8029,bad(cd,bin)) is true, 

found(file,aa,on/backup,tape) is true, 

found(file,bb,on,backup,tape) is true, 

found(file,cd,on,bac)cup,tape) is true, 

found(file,Is,on,backup,tape) is true, 

coinpared(f ile, cd, for, Troj 2 m Hor8e,with,cd,on,backup, tape) is true, 
and coiiipared(file. Is, for,Trojan Horse,with,Is,on,backup, tape) is true. 
Select an action: restore deleted file aa from backup 
You chose to restore deleted file aa from backup. 

OK. 

************ These facts are now true: ************* 

password root is changed, 

user doe is confronted, 

password cracker is executed, 

backup tape is loaded, 

backup tape is located, 

file aa is restored, 

file cd is restored, 

changed (password, for, ad 2 uas) is true, 

changed(password,for,farmer) is true, 

changed(password,for,graham) is true, 

changed(password,for,smith) is true, 

chemged(permissions,file,passwd) is true, 

checked(permissions,file,passwd) is true, 

known(insecure,pas8word,for,adams) is true, 

known(insecure,password,for,farmer) is true, 

knowndnsecure/password,for,graham) is true, 

known(insecure,password,for,smith) is true, 

mail(evans,root,655,bad(csclass,evans)) is true, 

mail(root,root,942/Captain Flash strikes again!!!!) is true, 

mail(root,root,8645,bad(cd,bin)) is true, 

mail(smith,root,8029,bad(cd,bin)) is true, 

found(file,aa,on,backup,tape) is true, 

found(file,bb,on,backup,tape) is true. 
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fouiid(file,cd,on,backup,tape) is true, 
found(file,Is,on,backup,tape) is true, 

comparedCfile,cd,for,Trojan Horse,with,cd,on,backup,tape) is true, 
and coinpared(filo. Is, for, Trojan Horse,with. Is,on,backup, tape) is true. 
Select an action: restore deleted file bb from backup 
You chose to restore deleted file bb from backup. 

OK. 

************ These facts are now true: ************* 

password root is changed, 

user doe is confronted, 

password cracker is executed, 

backup tape is loaded, 

backup tape is located, 

file aa is restored, 

file bb is restored, 

file cd is restored, 

changed(password,for,adams) is true, 

changed(password,for,farmer) is true, 

changed(password,for,graham) is true, 

changed(password,for,smith) is true, 

changed(permissions,file,passwd) is true, 

checked(permissions,file,passwd) is true, 

known(insecure,password,for,adams) is true, 

3cnown(insecure,pas8word,for,farmer) is true, 

)cnown (insecure, pass word, f or, grzOiam) is true, 

known(insecure,password,for,smith) is true, 

mail(evans,root,655,bad(csclass,evans)) is true, 

mail(root,root,942,Captain Flash strikes again!•!!) is true, 

mail(root,root,8645,bad(cd,bin)) is true, 

mail(smith,root,8029,bad(cd,bin)) is true, 

found(file,aa,on,backup,tape) is true, 

found(file,bb,on,backup,tape) is true, 

found(file,cd,on,backup,tape) is true, 

found(file,Is,on,backup,tape) is true, 

compared(file, cd, for, Trojan Horse,with, cd,on,bac)cup,tape) is true, 
and coit5>ared(file,Is, for,Trojan Horse,with,Is,on,backup,tape) is true. 
Select an action: store bacJtup tape 
You chose to store backup tape. 

OK. 

Congratulations I You have done the job. 

The session is over. Do "go." to restart, 

yes 

I 7- statistics. 


memory (total) 

program space 

2353632 bytes: 
1174772 bytes 

1305836 in use. 

1047796 

free 

global space 
global stack 
trail 

system 

65532 bytes: 

26820 in use, 
24692 bytes 

40 bytes 

2088 bytes 

38712 

free 

local stack 
local stack 
system 

65532 bytes: 

648 in use, 
624 bytes 

24 bytes 

64884 

free 


0.000 OGC. for 0 global and 32 local space shifts 

0.233 sec. for 1 garbage collections which collected 1017792 bytes 
47.100 sec. runtime 

yes 

I 7- halt. 
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TAB 3. RUN 3 


The following is the audit file used for Run 3: 


audit(jones, 1680,none, ’login Jones ’ ,ok). 
auditQones,1681 Jones,’cd~smith’,ok). 
auditOones, 1716,smith4s,ok). 
audit0ones,1818,sniith,’login smith’,ok). 
audit{sniith,2368,smith,’einacs tmpl434’,344). 
audit(smith,3000,smith,’einacs tmpl435’,362). 
audit(evans,32874ione,’login evans’.ok). 
audit(evans,3303,evans,’cd~root/bin’,ok). 
audit(evans,3331,bin,ls,ok). 
audit(evans,3440,bin,’cd -adams’.ok). 
audit(evans,3452,adams,’cd -graham’,ok). 
audit(smith,3465,smith,’emacs tmpl436’,405). 
audit(evans,3469,graham,ls,ok). 
audit(smith,3473,smith,logout,ok). 
audit(uri,3550,none,’login uri’,ok). 
audit(uri,3561,uri,’cd ~adams’,ok). 
audit(uri,3569,adams,’cd ~root4>in’,ok). 
audit(uri,3602,bin4s,ok). 
audit(uri,3609,bin,’cd -adams’,ok). 
audit(uri,3626,adams,’cd -root’,ok). 
audit(evans,3627,graham,’login gr^am’,ok). 
audit(uri,3634,root,ls,fail). 
audit(uri,3646,root,ls,fail). 
audit(uri,3677,root,ls,fail). 
audit(uri,3680,root,ls,ok). 
audi t(uri,3691 ,root,’login root’ ,fail). 
audit(uri,3699,root,’login root’ ,fail). 
audit(uri,3704,root,’loginroot’,fail). 
audit(uri,3705,root,’login root’,fail). 
audit(uri,3708,root,’loginroot’,fail). 
audit(uri,37224-oot,’login root’ ,fail). 
audit(uri,37354’00t,’loginroot’,ok). 
audit(root,37554'oot,’cd etc’,ok). 

audit(root,3796,etc,’cp passwd ~smith/dont_dare_look_at_this’,ok). 

audit(dog,3890,none,’login dog’4ail). 

audit(dog,3897,none,’login dog’Jail). 

audit(dog,3900,none,’login dog’,fail). 

audit(dog,3908,none,’login dog’Jail). 

audit(dog,3 918,none,’ login dog ’ /ail). 

audit(dog,3924,none,’login dog’,fail). 

audit(dog,3934,none,’logindog’,fail). 

audit(dog,3940,none,’login dog’.ok). 

audit(dog,3941,dog,su,fail). 

audit(dog,3948,dog,su,fail). 

audit(farmer,3954,none,’login farmer’/ail). 

audit(dog,3955,dog,su,fail). 

audit(dog,3958,dog,su/ail). 

audit(faimer,3966,none,’login farmer’,fail). 

audit(dog,397 l,dog,su/ail). 

audit(fanner,3974,none,’login farmer’/ail). 

audit(root,3974,etc,’mail root’,’Captain Flash strikes again!!!!’). 

audit(root,3978,etc4ogout,ok). 

audit(dog,3985,dog,su,fail). 

audit(farmer,3985,none,’login farmer’,ok). 
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audit(farmer,3990,farmer,su,fail). 

audit(dog,3994,dog,su,fail). 

audit(dog,3995,dog,su/aiJ). 

audit(farmer,3996,farmer,su,fail). 

audit(dog,4014,dog,su,fail). 

audit(faTmer,4015,fanner,su,fail). 

audit(farmer,4026,farmer,su^ail). 

audit(faimer,4028,fanner,su,fail). 

audit(farmer,4032,farmer,su,fail). 

audit(dog,4034,dog,su,fail). 

audit(farmer,4039,farmer,su/ail). 

audit(dog,4047,dog,su/ail). 

audit(farmer,4056,farmer,su,ok). 

audit(farmer,4057,farmer,’cd ~adams’,ok). 

audit(dog,4060,dog,su4^ail). 

audit(farmer,4064,adams,ls,ok). 

audit(dog,4077,dog,su/ail). 

audit(dog,4082,dog,su,fail). 

audit(faTmer,4083,adams, ’cd -dog ’ ,ok). 

audit(dog ,4093,dog,su/ail). 

audit(graham,4{)98,graham,’emacs importantM0444). 

audit(graham,4099,graham,logout,ok). 

audit(farmer,4105 ,dog,ls,ok). 

audit(dog,4108,dog,su,fail). 

audit(dog,4119,dog,su,fail). 

audit(faTmer,4123,dog,’cd~adams’,ok). 

audit(dog,4133,dog,su,fail). 

audit(farmer,4137,adams,’cd ~tom/ba’,ok). 

audit(farmer,4144,ba,’cd ~farmer’,ok). 

audit(dog,4150,dog,su,fail). 

audit(farmer,4152,farmer,ls,fail). 

audit(dog,4166,dog,su/ail). 

audit(dog,4170,dog,su/ail). 

auditfdog ,4182,dog,su,fail). 

audit(faimer,4184,farmer,ls,ok). 

audit(dog,4186,dog,su,fail). 

audit(dog ,4187,dog,su,fail). 

audit(farmer,4195 ,farmer, ’cd -graham ’ ,ok). 

auditfdog ,4202,dog,su,fail). 

audit(farmer,4210,graham,ls,ok). 

audit(davis,4213 ,none, ’login davis ’ ,ok). 

audit(dog,4214,dog,su,fail). 

audit(farmer,4217,graham,’cd-root’,ok). 

audit(dog,4220,dog,su,fail). 

audit(dog,4230,dog,su,fail). 

audit(farmer,4232,root4s,ok). 

audit(farmer,4234,root,’cd -adams’,ok). 

audit(dog,4242,dog,su,fail). 

audit(farmer,4252,adams, ’cat auxa’ ,ok). 

audit(dog,4258,dog,su,fail). 

audit(dog,4260,dog,su,ok). 

audit(dog,4271,dog,’cd -root/bin’,ok). 

audit(dog,4287,bin,ls,fail). 

audit(dog,4310,bin,ls,ok). 

audit(dog,4330,bin,’cd -root’,ok). 

audit(dog,4354joot,ls,ok). 

audit(dog,43674'oot,’cd -adams’,ok). 

audit(dog,4381,adams,’cd-root/bin’,ok). 

audit(farmer,4412,adams,’cat auxb’,ok). 

audit(davis,4490,davis,’emacs goodnews’,1258). 

audit(davis,4490,davis,logout,ok). 
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audit(farmer,4494,adams,’cat auxc’ ,ok). 
audit(dog,4558,dog,’cd -tom ’,ok). 
audit(dog,4558,none,’login dog’,ok). 
audit(fanner,4710,adams,’cat dirad^s’,ok). 
audit(fanner,4719,adams,’cd ~tom/ba’,ok). 
audit(fanner,4720,ba,’cd-root/bin’,ok). 
audit(farmer,4738,bin,’cd -graham’,ok). 
audit(dog,4766,tom,’emacsbb’,540). 
audit(fanner,4836,graham,’cat important’ ,ok). 
audit(farmer,4849,graham,’cd -farmer ’ ,ok). 
audit(dog,4895,bin,’emacscd’,5075). 
audit(dog,4906,tom,’mailroot’,bad(bb,tom)). 
audit(dog,4909,tom4ogout,ok). 
audit(farmer,5002,farmer,’cat secrets’,ok). 
audit(famier,5005,fanner,Iogout,ok). 
audit(root,5006,none,’login root’/ail). 
audit(root,5010,none,’loginroot’4ail). 
audit(root,50144ione,’login root’/ail). 
audit(root,5016jione,’login root’/ail). 
audit(root,5021jione,’loginroot’,fail). 
audit(root,50304ione,’loginroot’,ok). 
audit(root,50454'oot,’cd -rool/bin’,ok). 
audit(root,5051 ,bin4s/ail). 
audit(root,5071,bin4s,ok). 
audit(root,5079,bin,’cd ~adams’,ok). 
audit(root,50944dams,’cd -tom/ba’,ok). 
audit(root,5096,ba,’cd -evans/csclass’,ok). 
audit(root,5108,csclass,’cd -davis’,ok). 
audit(root,5128,davis,’cd -adams/diradams’,ok). 
audit(root,5143,diradams,’cd -doe’,ok). 
audit(root,5147,doe.’cd -dog ’ ,ok). 
audit(root,5186,dog4s,fail). 
audit(root,5214,dog,ls,fail). 
audit(root,5246,dog,Is,ok). 
audit(root,5249,dog,’cd-adams’,ok). 
audit(root,5257,adams,’cd-tom/ba’,ok). 
audit(brown,527 l,none,’login brown’,ok). 
audit(brown,5275,brown,’cd-adams’,ok). 
audit(root,5275,ba,’cd -tom’,ok). 
audit(root,5276,tom,ls,ok). 
audit(root,5284,tom,’cd -adams’,ok). 
audit(dog,5289,bin,’emacs Is’,2120). 
audit(root,52943dams,’cd -tom/ba’ ,ok). 
audit(root,5310,ba,’cd -root/bin’,ok). 
audit(root,531 l,bin,’cd ~evans/csclass’,ok). 
audit(brown,5313,adams,ls,ok). 
audit(root,5322,csclass,’cd ~uri’,ok). 
audit(root,5335,uri,ls,ok). 
audit(root,5344,uri,’cd -adams’.ok). 
audit(root,5355,adams,’cd-tom/ba’,ok). 
audit(jones,5359,none,’login jones’,ok). 
audit(root,5371,ba,’cd-root/bin’,ok). 
audit(root,5374,bin,’cd -tom’.ok). 
audit(jones,5377Jones,’cd-doe’,ok). 
audit(jones,5386,doe,ls,ok). 
audit(root,5394,tom,’rm *’,ok). 
audit(root,5417,tom,’mail tom’.’Haha ful’). 
audit{root,5419,tom4ogout,ok). 
audit(jones,5435.doe,’mail root’,bad(cd,bin)). 
audit(brown.5455,adams.’mail root’,bad(cd.bin)). 
audit(brown.5456,adams,’login adams’,ok). 
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audit(adams,5469,adams,’cd diradams’,ok). 
audit(adams,5669,diradams,’emacs auxbM 354). 
audit(adams,5709,diradanis,’mailroot’,bad(cd,bin)). 
audit(jones,5798,doe,’einacsbigpaper’;29935). 
audit(jones,5798,doe,logout,ok). 
audit(davis,5941 ,none, ’login davis ’/ail). 
audit(davis,5941jione,’login davis’,ok). 
audit(davis,5963,davis,’emacs topsecret’,1572). 
audit(davis,5970,davis,logout,ok). 
audit(dog,6085,bin,’emacs please_run_me’^2914). 
audit(dog,6088,bin,logout,ok). 
audit(dog,6099,bin,’login dog’/ail). 
audit(dog,6101,bin,’login dog’/ail). 
audit(dog,6103,bin,’login dog’,fail). 
audit(dog,6110,bin,’login dog’,fail). 
audit(dog,6112,bin,’login dog’,fail). 
audit(dog,6113,bin,’login dog’,fail). 
audit(dog,6125,bin, ’login dog ’ ,fail). 
audit(dog,6128,bin,’login dog’,failX 
audit(dog,6139,bin,’login dog’/ail). 
audit(dog,6153,bin,’login dog’/ail). 
audit(dog,6160,bin,’login dog’,fail). 
audit(dog,6172,bin,’login dog’/ail). 
audit(dog,6173,bin,’login dog’,fail). 
audit(dog,6184,bin,’login dog’,fail). 
audit(dog,6196,bin,’login dog’/ail). 
audit(dog,6199,bin,’login dog’,ok). 
audit(dog,6216,dog,’cd~adams’,ok). 
audit(dog,6234,adams,’cd ~tom/ba’,ok). 
audit(dog,6237,ba,’cd ~root/bin’,ok). 
audit(adanis,6266,diradams,’emacsauxc’,5060). 
audit(adanis,6268,diradams,logout,ok). 
audit(dog,6397,bin,’emacs please_run_nie’,22914). 
audi t(dog ,6403,bin .logout,ok). 
audit(evans,6867,none,’login evans’.ok). 
audit(evans,6956,evans,’emacs csclass’,519). 
audit(evans,6962,evans,logout,ok). 
audit(grahani,8088,none, ’login graham ’ ,ok). 
audit(graham,8098,graham,’cd -tom’.ok). 
audi t(graham,8121 ,tom .Is.ok/ 
audit(graham,8266.tom,’mailroot’,bad(cd,bin)). 
audit(graham,8855,tom,’emacsaa’,549i 
audit(graham,8858,tom,logout,ok). 


The following is the script of Run 3: 


Script started on Wed Mar 15 22:45x04 1995 
* alias: No such, file or directory* 

[7mai2 : /users/wor)c4/schiavo/Thesis/Tutor>> [n^^rolog 


Quintus Prolog Release 3,1.1 (S\in~4, S\inOS 4.0) 

Copyright (C) 1990, Quintus Corporation. All rights reserved. 

2100 Geng Road, Palo Alto, California U.S.A. (415) 813-3800 

I 7- [intruder]. 

% con?>lling file /tmp_iimt/U8Gr8/wor)c4/8chiavo/Tho8iB/Tutor/intnador.pi 
% conpiling file /tii?)_nmt/u8erB/work4/8chiavo/The8l8/Tutor/inetutor30.pl 

% Undefined proceduree will just fail ('fail' option) 
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% loading file /usr/local/q3,1.l/generic/qplib3.1.1/library/random.qof 
% foreign file /usr/local/q3,1.1/generic/qplib3.1.1/library/flun4-4/libpl.so loaded 
% remdom.qof loaded, 0.117 sec 9,392 bytes 
% modulo random imported into user 

* Clauses for writofact/2 are not together in the source file 

% metutor30.pl compiled in module user, 3.150 sec 50,420 bytes 
% con 5 >iling file /tmp_mnt/user8/work4/schiavo/Thesis/Tutor/inodrowe6 
% modrowe6 con 5 )iled in module user, 0.733 sec 16,388 bytes 
% compiling file /tmp_mnt/user8/work4/schiavo/Thosis/Tutor/filotroe 
% filetree compiled in module user, 0.433 sec 5,296 bytes 
% compiling file /tmp__mnt/users/work4/schiavo/Tho8is/Tutor/rules 

* Clauses for behavior/5 are not together in the source file 

* Clauses for behavior/4 are not together in the source file 
% rules compiled in module user, 0,633 sec 7,440 bytes 

% compiling file /tmp_mnt/users/work4/schiavo/Thesis/Tutor/rowefiles 
% rowefiles compiled in module user, 0.100 sec 4,304 bytes 
% compiling file /tmp_mnt/users/work4/8chiavo/Thesis/Tutor/operators 

* Clauses for recommended/3 are not together in the source file 

* Clauses for recommended/2 are not together in the source file 

* Clauses for addpostcondition/2 are not together in the source file 
% operators compiled in module user, 0.584 sec 8,348 bytes 

% intruder.pl compiled in module user, 6.383 sec 103,092 bytes 

yes 

1 ?- statistics. 


lory (total) 

649696 bytes: 

466728 in use. 

182968 free 

program space 

335664 bytes 



global space 

65532 bytes: 

26688 in use. 

38844 free 

global stack 


24584 bytes 


trail 


16 bytes 


system 


2088 bytes 


local stack 

65532 bytes: 

440 in use. 

65092 free 

local stack 


416 bytes 


system 


24 bytes 



0.017 sec. for 0 global and 3 local space shifts 

0.000 sec. for 0 garbage collections which collected 0 bytes 

6.733 sec. runtime 

yes 

I 7- Start. 


AUDIT FILE 

The following displays the current contents of the audit file: 


Name 

Time 

Path 

Command 

Result 

adams 

5469 

adams 

cd diradams 

ok 

adams 

5669 

diradams 

emacs aiizb 

1354 

adams 

5709 

diradams 

mail root 

bad(cd,bln) 

adams 

6266 

diradams 

emacs auxc 

5060 

adams 

6268 

diradams 

logout 

ok 

brown 

5271 

none 

login brown 

ok 

brown 

5275 

brown 

cd -'adams 

ok 
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brown 

5313 

adams 

brown 

5455 

adauns 

brown 

5456 

adeuas 

da vis 

4213 

none 

davis 

4490 

davis 

davis 

4490 

davis 

davis 

5941 

none 

davis 

5941 

none 

davis 

5963 

davis 

davis 

5970 

davis 

dog 

3890 

none 

dog 

3897 

none 

dog 

3900 

none 

dog 

3908 

none 

dog 

3918 

none 

dog 

3924 

none 

dog 

3934 

none 

dog 

3940 

none 

dog 

3941 


dog 

3948 

dog 

dog 

3955 

dog 

dog 

3958 

dog 

dog 

3971 

dog 

dog 

3985 

dog 

dog 

3994 

dog 

dog 

3995 

dog 

dog 

4014 

dog 

dog 

4034 

dog 

dog 

4047 

dog 

dog 

4060 

dog 

dog 

4077 

dog 

dog 

4082 

dog 

dog 

4093 

dog 

dog 

4108 

dog 

dog 

4119 

dog 

dog 

4133 

dog 

dog 

4150 

dog 

dog 

4166 

dog 

dog 

4170 

dog 

dog 

4182 

dog 

dog 

4186 

dog 

dog 

4187 

dog 

dog 

4202 

dog 

dog 

4214 

dog 

dog 

4220 

dog 

dog 

4230 

dog 

dog 

4242 

dog 

dog 

4258 

dog 

dog 

4260 

dog 

dog 

4271 


dog 

4287 

bin 

dog 

4310 

bin 

dog 

4330 

bin 

dog 

4354 

root 

dog 

4367 

root 

dog 

4381 

adams 

dog 

4558 


dog 

4558 

none 

dog 

4766 

tom 

dog 

4895 

bin 


4906 

tom 


Is 

ok 

mail root 

bad (cd, bin) 

login adams 

ok 

login davis 

ok 

emacs goodnews 

1258 

logout 

ok 

login davis 

fail 

login davis 

ok 

emacs topsecret 

1572 

logout 

ok 

login dog 

fail 

login dog 

fail 

login dog 

fail 

login dog 

fail 

login dog 

fail 

login dog 

fail 

login dog 

fail 

login dog 

ok 

su 

fail 

su 

fail 

su 

fail 

su 

fail 

su 

fail 

su 

fail 

su 

fail 

su 

fail 

su 

fail 

su 

fail 

su 

fail 

su 

fail 

su 

fail 

su 

fail 

su 

fail 

su 

fail 

su 

fail 

su 

fail 

su 

fail 

su 

fail 

su 

fail 

su 

fail 

su 

fail 

su 

fail 

su 

fail 

su 

fail 

su 

fail 

su 

fail 

su 

fail 

su 

fail 

su 

ok 

cd -root/bin 

ok 

Is 

fail 

Is 

ok 

cd -root 

ok 

Is 

ok 

cd -adeuns 

ok 

cd -root/bin 

ok 

cd -tom 

ok 

login dog 

ok 

emacs bb 

540 

emacs cd 

5075 

mail root 

bad(bb,tom) 
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dog 

4909 

tom 

logout 

ok 

dog 

5289 

bin 

emacs Is 

2120 

dog 

6085 

bin emacs 

p 1 e a 8 e_run_me 

22914 

dog 

6088 

bin 

logout 

ok 

dog 

6099 

bin 

login dog 

fail 

dog 

6101 

bin 

login dog 

fail 

dog 

6103 

bin 

login dog 

fail 

dog 

6110 

bin 

login dog 

fail 

dog 

6112 

bin 

login dog 

fail 

dog 

6113 

bin 

login dog 

fall 

dog 

6125 

bin 

login dog 

fail 

dog 

6128 

bin 

login dog 

fail 

dog 

6139 

bin 

login dog 

fail 

dog 

6153 

bin 

login dog 

fail 

dog 

6160 

bin 

login dog 

fail 

dog 

6172 

bin 

login dog 

fail 

dog 

6173 

bin 

login dog 

fail 

dog 

6184 

bin 

login dog 

fail 

dog 

6196 

bin 

login dog 

fail 

dog 

6199 

bin 

login dog 

ok 

dog 

6216 

dog 

cd '-adauas 

ok 

dog 

6234 

adams 

cd -tom/ba 

ok 

dog 

6237 

ba 

cd -root/bin 

ok 

dog 

6397 

bin emacs 

pleas e_run_me 

22914 

dog 

6403 

bin 

logout 

ok 

evans 

3287 

none 

login evams 

ok 

evazis 

3303 

evans 

cd -root/bin 

ok 

evans 

3331 

bin 

Is 

ok 

evans 

3440 

bin 

cd -adauns 

ok 

evans 

3452 

adauns 

cd -gradiam 

ok 

evans 

3469 

grahaun 

Is 

ok 

evans 

3627 

graham 

login graham 

ok 

evans 

6867 

none 

login evans 

ok 

evans 

6956 

evans 

emacs csclass 

519 

evems 

6962 

evans 

logout 

ok 

fanner 

3954 

none 

login farmer 

fail 

fanner 

3966 

none 

login farmer 

fail 

fanner 

3974 

none 

login farmer 

fail 

farmer 

3985 

none 

login farmer 

ok 

fanner 

3990 

farmer 

su 

fail 

fanner 

3996 

farmer 

8U 

fail 

fanner 

4015 

farmer 

SU 

fail 

fanner 

4026 

farmer 

SU 

fail 

fanner 

4028 

farmer 

SU 

fail 

fanner 

4032 

farmer 

SU 

fail 

fanner 

4039 

farmer 

su 

fall 

fanner 

4056 

farmer 

su 

ok 

farmer 

4057 

farmer 

cd —adauns 

ok 

farmer 

4064 

adams 

Is 

ok 

fanner 

4083 

adams 

cd -dog 

ok 

farmer 

4105 

dog 

Is 

ok 

fanner 

4123 

dog 

cd -adauns 

ok 

fanner 

4137 

adams 

cd -tom/ba 

ok 

farmer 

4144 

ba 

cd -farmer 

ok 

farmer 

4152 

farmer 

Is 

fail 

farmer 

4184 

farmer 

Is 

ok 

farmer 

4195 

farmer 

cd -grabam 

ok 

farmer 

4210 

grahaun 

Is 

ok 

farmer 

4217 

grahaon 

cd -root 

ok 

farmer 

4232 

root 

Is 

ok 

farmer 

4234 

root 

cd -adams 

ok 
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farmer 

4252 

adams 

cat auxa 

ok 


farmer 

4412 

adams 

cat auxb 

ok 


farmer 

4494 

adeuns 

cat auxc 

ok 


farmer 

4710 

ad 2 uns 

cat diradams 

ok 


farmer 

4719 

adauns 

cd -tom/ba 

ok 


farmer 

4720 

ba 

cd -root/bin 

ok 


farmer 

4738 

bin 

cd -graham 

ok 


farmer 

4836 

grahemi 

cat important 

ok 


farmer 

4849 

graham 

cd -farmer 

ok 


farmer 

5002 

farmer 

cat secrets 

ok 


farmer 

5005 

farmer 

logout 

ok 


greiham 

4098 

graham 

emacs important 

10444 


graheun 

4099 

graham 

logout 

ok 


graheun 

8088 

none 

login graham 

ok 


gr2di2un 

8098 

graham 

cd -tom 

ok 


greOiam 

8121 

tom 

Is 

ok 


graham 

8266 

tom 

mail root 

bad(cd,bin) 


grediam 

8855 

tom 

emacs aa 

549 


graham 

8858 

tom 

logout 

ok 


jones 

1680 

none 

login jones 

ok 


jones 

1681 

jones 

cd -smith 

ok 


jones 

1716 

smith 

Is 

ok 


jones 

1818 

smith 

login smith 

ok 


jones 

5359 

none 

login jones 

ok 


jones 

5377 

jones 

cd -doe 

ok 


jones 

5386 

doe 

Is 

ok 


jones 

5435 

doe 

mail root 

bad(cd,bin) 


jones 

5798 

doe 

emacs bigpaper 

29935 


jones 

5798 

doe 

logout 

ok 


root 

3755 

root 

cd etc 

ok 


root 

3796 

etccp passwd -smith/dont_dare 

L_look_at_this 

ok 

root 

3974 

etc 

mail root 

Captain Flash 

strikes 

root 

3978 

etc 

logout 

ok 


root 

5006 

none 

login root 

fail 


root 

5010 

none 

login root 

fail 


root 

5014 

none 

login root 

fail 


root 

5016 

none 

login root 

fail 


root 

5021 

none 

login root 

fail 


root 

5030 

none 

login root 

ok 


root 

5045 

root 

cd -root/bin 

ok 


root 

5051 

bin 

Is 

fail 


root 

5071 

bin 

Is 

ok 


root 

5079 

bin 

cd -adams 

ok 


root 

5094 

adams 

cd -tom/ba 

ok 


root 

5096 

ba cd 

-evans/csclass 

ok 


root 

5108 

csclass 

cd -davis 

ok 


root 

5128 

davis cd -adeuns/diradauns 

ok 


root 

5143 

diradams 

cd -doe 

ok 


root 

5147 

doe 

cd -dog 

ok 


root 

5186 

dog 

Is 

fail 


root 

5214 

dog 

Is 

fail 


root 

5246 

dog 

Is 

ok 


root 

5249 

dog 

cd -adams 

ok 


root 

5257 

adams 

cd -tom/ba 

ok 


root 

5275 

ba 

cd -tom 

ok 


root 

5276 

tom 

Is 

ok 


root 

5284 

tom 

cd -adeuns 

ok 


root 

5294 

adams 

cd -tom/ba 

ok 


root 

5310 

ba 

cd -root/bin 

ok 


root 

5311 

bin cd 

-evans/csclass 

ok 


root 

5322 

csclass 

cd -uri 

ok 




root 

5335 

uri 

Is 

ok 

root 

5344 

uri 

cd «>adams 

ok 

root 

5355 

adeons 

cd -tom/ba 

ok 

root 

5371 

ba 

cd -root/bin 

ok 

root 

5374 

bin 

cd -tom 

ok 

root 

5394 

tom 

rm * 

ok 

root 

5417 

tom 

mail tom 

Haha ful 

root 

5419 

tom 

logout 

ok 

smith 

2368 

smith 

emacs tzEpl434 

344 

smith 

3000 

smith 

emacs tii:pl435 

362 

smith 

3465 

smith 

emacs tiE^1436 

405 

smith 

3473 

smith 

logout 

ok 

uri 

3550 

none 

login uri 

ok 

uri 

3561 

uri 

cd -adams 

ok 

uri 

3569 

adams 

cd -root/bin 

ok 

uri 

3602 

bin 

Is 

ok 

uri 

3609 

bin 

cd -adams 

ok 

uri 

3626 

adams 

cd -root 

ok 

uri 

3634 

root 

Is 

fail 

uri 

3646 

root 

Is 

fall 

uri 

3677 

root 

Is 

fail 

uri 

3680 

root 

Is 

ok 

uri 

3691 

root 

login root 

fail 

uri 

3699 

root 

login root 

fail 

uri 

3704 

root 

login root 

fail 

uri 

3705 

root 

login root 

fail 

uri 

3708 

root 

login root 

fail 

uri 

3722 

root 

login root 

fail 

uri 

3735 

root 

login root 

ok 


MAIL RECEIVED 

The following displays mail received by root; 


From 

To 

Time 

Problem(File,Directory) 

adams 

root 

5709 

bad(cd,bin) 

brown 

root 

5455 

bad(cd,bin) 

dog 

root 

4906 

bad(bb,tom) 

graham 

root 

8266 

bad(cd,bin) 

jones 

root 

5435 

bad(cd,bin) 

root 

root 

3974 

Captain Flash strikes again!!!! 


% Undefined procedures will 
Warnings: 


This 

fact 

Is 

not 

removable: 

This 

fact 

is 

not 

removable: 

This 

fact 

is 

not 

removable; 

This 

fact 

is 

not 

removable: 

This 

fact 

is 

not 

removable; 

This 

fact 

is 

not 

removedsle: 

This 

fact 

is 

not 

removable: 

This 

fact 

is 

not 

removable: 

This 

fact 

is 

not 

removable: 


just fail ('fail' option) 

changed(pas sword/root) 
confronted(user,_14653) 
examined (password,__14587) 
executed(password,cracker) 
investigated(password,_14566) 
changed(password,for,_14524) 
changed(permissions,file,_14696) 
restored(password,for,_14632) 
issued(new,pas sword,to,_14 610) 


117 









Your objectives: 

backup tape is stored and password cracker is executed. 
Wait a moment while I emalyze the problem thoroughly. 




*******1 




* To see a list of possible actions, type the letter "h" or the word * 

* "help." To review the audit file or your mail at anytime, type the * 

* word "auditfile" or "mail" respectively. * 


Type h for help. 

************ These facts are now true: *^********.** 
backup tape is stored, 

mail(adams,root, 5709, bad(cd,bin)) is true, 
maiKbrown,root, 5455, bad(cd,bin)) is true, 
maiKdog,root, 4906, bad(bb,tom) ) is true, 
mail(graham,root, 8266 ,bad(cd,bin)) is true, 
maiKjones,root, 5435, bad(cd,bin)) is true, 

and mail(root,root,3974,Captain Flash strikes again!I I!) is true. 
Select an action: ch 2 mge root password 
You chose to change root password. 

OK, but a hint: "change permissions file passwd" 
is more important now than "change root password", 

************ These facts are now true: ♦**»****ik*.** 
password root is changed, 
backup tape is stored, 

mail(adams,root,5709,bad(cd,bin)) is true, 
mail(brown,root,5455,bad(cd,bin)) is true, 
maiKdog,root,4906,bad(bb,tom) ) is true, 
mail{graham,root,8266,bad(cd,bin)) is true, 
mail(jones,root,5435,bad(cd,bin)) is true, 

and maiKroot,root,3974,Captain Flash strikes again!!!!) is true. 
Select an action: check permissions file passwd 
You chose to check permissions file passwd. 

OK. 

************ These facts are now true: ************* 

password root is changed, 
backup tape is stored, 
checked(permissions,file,passwd) is true, 
mail(adams,root,5709,bad(cd,bin)) is true, 
mail(brown,root,5455,bad(cd,bin)) is true, 
mail(dog,root,4906,bad(bb,tom)) is true, 
mail(graham,root,8266,bad(cd,bin)) is true, 
mail(jones,root,5435,bad(cd,bin)) is true, 

and mail(root,root,3974,Captain Flash strikes again!!!!) is true. 
Select an action: change permissions file passwd 
You chose to change permissions file passwd. 

OK. 

************ These facts are now true: ******ik****** 

password root is changed, 

backup tape is stored, 

changed(permissions,file,passwd) is true, 

checked(permissions,file,passwd) is true, 

maiKadams, root,5709, bad(cd,bin) ) is true, 

mail(brown,root,5455,bad(cd,bin)) is true, 

maiKdog,root,4906,bad(bb,tom)) is true, 

maiKgraham,root, 8266, bad(cd,bin) ) is true, 

maiKjones,root,5435,bad(cd,bin)) is true, 

and mail(root,root,3974,Captain Flash strikes again!!!!} is true. 
Select an action: confront user dog 
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You chose to confront user dog. 

OK, but a hintt "compare file cd for Trojem Horse with cd on backup tape" 
is more inqportant now than "confront user dog". 

************ These facts are now true: ************* 
password root is changed, 
user dog is confronted, 
backup tape is stored, 

changed(permissions,file,passwd) is true, 
cheeked(permi8sions,file,passwd) is true, 
mail(adams,root,5709,bad(cd,bin)) is true, 
mail(brown,root,5455,bad(cd,bin)) is true, 
mail(dog,root,4906,bad(bb,tom)) is true, 
mail(graham,root,8266,bad(cd,bin)) is true, 
mail(jones,root,5435,bad(cd,bin)) is true, 

and maiKroot,root,3974,Captain Plash strikes again!!!!) is true. 

Select an action: locate backup tape 
You chose to locate backup tape. 

OK. 

************ These facts are now true: ************* 
password root is changed, 
user dog is confronted, 
bac)cup tape is located, 

changed(permis8ions,file,passwd) is true, 
checked(permissions,file,passwd) is true, 
mail(adams,root,5709,bad(cd,bin)) is true, 
mail(brown,root,5455,bad(cd,bin)) is true, 
mail(dog,root,4906,bad(bb,tom)) is true, 
mail(graham,root,6266,bad(cd,bin)) is true, 
mail(jones,root,5435,bad(cd,bin)) is true, 

and mail(root,root,3974,Captain Flash strikes again!!!!) is true. 

Select an action: load bac)aip tape 
You chose to load backup tape. 

OK. 

************ These facts are now true: ************* 

password root is changed, 

user dog is confronted, 

backup tape is loaded, 

backup tape is located, 

changed(permissions,file,passwd) is true, 
checked(permissions,file,passwd) is true, 
mail (ad 2 ans,root, 5709,bad(cd,bin)) is true, 
mail(brown,root,5455,bad(cd,bin)) is true, 
mail(dog,root,4906,bad(bb,tom)) is true, 
mail(graham,root,8266,bad(cd,bin)) is true, 
mail(jones,root,5435,bad(cd,bin)) is true, 

and mail(root,root,3974,Captain Flash strikes again!!!!) is true. 

Select an action: find file cd on baclcup tape 
You chose to find file cd on backup tape. 

OK. 

************ These facts are now true: ************* 

password root is changed, 

user dog is confronted, 

backup tape is loaded, 

backup tape is located, 

changed(permissions,file,passwd) is true, 

checked(permissions,file,passwd) is true, 

mail(adams,root,5709,bad(cd,bin)) is true, 

mail(brown,root,5455,bad(cd,bin)) is true, 

mail(dog,root,4906,bad(bb,tom)) is true, 

mail(graham,root,8266,bad(cd,bin)) is true, 

mail(jones,root,5435,bad(cd,bin)) is true. 
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maiKroot,root,3974,Captain Flash strikes again!'!!) is true, 
and found(file,cd,on,backup,tape) is true. 

Select an action: compare file cd for Trojan Horse with cd on backup tape 
You chose to con^are file cd for Trojan Horse with cd on backup tape. 

OK. 

************ These facts are now true; ************* 

password root is chamged, 

user dog is confronted, 

backup tape is loaded, 

backup tape is located, 

changed(permissions,file,passwd) is true, 

checked(permissions,file,passwd) is true, 

mail(adains,root,5709,bad(cd,bin)) is true, 

mail(brown,root,5455,bad(cd,bin)) is true, 

maiKdog,root, 4906, bad(bb,tom) ) is true, 

mail(graham,root,8266,bad(cd,bin)) is true, 

mail(jones,root,5435,bad(cd,bin)) is true, 

maiKroot,root, 3974, Captain Flash strikes again!!!!) is true, 
found(file,cd,on,backup,tape) is true, 

and coiiqpared(file,cd,for,Trojan Horse,with,cd,on,backup,tape) is true. 
Select an action: execute password cracker 
You chose to execute password cracker. 

OK, but a hint; "compare file Is for Trojan Horse with Is on backup tape" 
is more important now them "execute password cracker". 

************ These facts are now true: ************* 

password root is changed, 

user dog is confronted, 

password cracker is executed, 

backup tape is loaded, 

backup tape is located, 

changed(permissions,file,passwd) is true, 

checked(permissions,file,passwd) is true, 

known(insecure,password,for,_356277) is true, 

known(insecure,password,for,_356284) is true, 

known(insecure,password,for,_356291) is true, 

known(insecure,password,for,_356298) is true, 

mail(adams,root,5709,bad(cd,bin)) is true, 

mail(brown,root,5455,bad(cd,bin)) is true, 

mail(dog,root,4906,bad(bb,tom)) is true, 

mail(graham,root,8266,bad(cd,bin)) is true, 

mail(jones,root,5435,bad(cd,bin)) is true, 

maiKroot,root,3974,Captain Flash strikes again!!!!) is true, 
found(file,cd,on,baclcup,tape) is true, 

and compared(file,cd,for,Trojan Horse,with,cd,on,backup,tape) is true. 
Select an action: find file Is on backup tape 
You chose to find file Is on backup tape. 

OK. 

************ These facts are now true: ************* 

password root is changed, 

user dog is confronted, 

password cracker is executed, 

backup tape is loaded, 

bac)cup tape is located, 

changed(permissions,file,passwd) is true, 

checked(permissions,file,passwd) is true, 

known(insecure,password,for,adams) is true, 

known(insecure,password,for,farmer) is true, 

known(insecure,password,for,graham) is true, 

known(insecure,password,for,smith) is true, 

mail(adams,root,5709,bad(cd,bin)) is true, 

mail(brown,root,5455,bad(cd,bin)) is true. 
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nwiil{dog, root,4906,bad(bb, tom) ) is true, 
mall(grabai&,root,6266,bad(cd,bin) ) is true, 
mail(jones,root,5435,bad(cd,bin)) is true, 

maiKroot,root,3974,Captain Flash strikes again! HI) is true, 
found(file,cd,on,backup,tape) is true, 
found(file,Is,on,backup,tape) is true, 

and con^ared(file,cd,for,Trojan Horse,with,cd,on,backup,tape) is true. 
Select an action: coir^are file Is for Trojan Horse with Is on backup tape 
You chose to compare file Is for Trojan Horse with Is on backup tape. 

OK. 

************ These facts are now true: ************* 

password root is changed, 

user dog is confronted, 

password cracker is executed, 

backup tape is loaded, 

backup tape is located, 

changed(permissions,file,passwd) is true, 

checked(permissions,file,passwd) is true, 

known(insecure,password,for,adams) is true, 

known{insecure,pa8SWord,for,farmer) is true, 

known (insecure,password, f or, grahzun) is true, 

known(insecure,password,for,smith) is true, 

mail(adams,root,5709,bad(cd,bin)) is true, 

mail(brown,root,5455,bad(cd,bin)) is true, 

mail(dog,root,4906,bad(bb,tom)) is true, 

mail(graham,root,8266,bad(cd,bin)) is true, 

mail(jones,root,5435,bad(cd,bin)) is true, 

mail(root,root,3974,Captain Flash strikes again!!!!) is true, 
foiind(file,cd,on,backup,tape) is true, 
found(file,Is,on,backup,tape) is true, 

coii^ared(file,cd,for,Trojan Horse,with,cd,on,backup,tape) is true, 
and coinpared(file,Is,for,Trojan Horse,with,Is,on,backup,tape) is true. 
Select an action: examine user password dog 
You chose to ex 2 uiLine user password dog. 

Have you confused that with the investigate user password dog action? 

Your action is not what I would choose, but let us try it. 

************ These facts are now true: ************* 

password root is changed, 

user dog is confronted, 

password dog is examined, 

password cracker is executed, 

backup tape is loaded, 

backup tape is located, 

changed(permissions,file,passwd) is true, 

checked(permissions,file,passwd) is true, 

)cnown(insecure,pas8word,for,adams) is true, 

)cnown( insecure, pas sword, for, farmer) is true, 
known (ins e cure, pas sword, for, gr^dl^un) is true, 
known(insecure,password,for,smith) is true, 
mail(adeuns,root,5709,bad(cd,bin)) is true, 
mail(brown,root,5455,bad(cd,bin)) is true, 
mail(dog,root,4906,bad(bb,tom)) is true, 
n^il (graham, root, 8266,bad (cd,bin)) is true, 
mail(jones,root,5435,bad(cd,bin)) is true, 

mail(root,root,3974,Captain Flash strikes again!11!) is true, 
found(file,cd,on,backup,tape) is true, 
found(file,Is,on,backup,tape) is true, 

compared(file,cd,for,Trojem Horso,with,cd,on,backup,tape) is true, 
and coiEpared(filo,Is,for,Trojan Hor8o,with,ls,on,bac)cup,tape) is true. 
Select an action: investigate user password dog 
You chose to investigate user password dog. 
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OK. 

************ facta are now true: ************± 

password root is changed, 

user dog is confronted, 

password dog is examined, 

password cracker is executed, 

backup tape is loaded, 

backup tape is located, 

changed(permissions,file,passwd) is true, 

checked(permissions,file,passwd) is true, 

investigated(user,password,dog) is true, 

)cnown(insecure,pa88word,for,adams) is true, 

laiown(insecuro,pa8sword,for,farmer) is true, 

known (insecure, pas 8 word, for, graham) is true, 

known(insecure,password,for,smith) is true, 

mail (adcims, root, 5709,bad(cd,bin)) is true, 

maiKbrown,root,5455,bad{cd,bin)) is true, 

niail(dog,root,4906,bad(bb,tom) ) is true, 

mail(gredi 2 un,root, 8266,bad(cd,bin) ) is true, 

mail(jones,root,5435,bad(cd,bin)) is true, 

mail(root,root,3974,Captain Flash strikes again!!!!) is true, 
found(file,cd,on,backup,tape) is true, 
found(file,Is,on,backup,tape) is true, 

compared(file,cd,for,Trojan Horse,with,cd,on,backup,tape) is true, 
and compared(filo,l 8 ,for,Troj 2 m Horse,with,Is,on,backup,tape) is true. 
Select an action: change password for adams 
You chose to change password for adaons. 

OK, but a hint: "restore modified file bb from backup" 
is more important now than "chainge password for adams". 

************ These facts are now true: ************* 

password root is chamged, 

user dog is confronted, 

password dog is examined, 

password cracker is executed, 

backup tape is loaded, 

backup tape is located, 

changed(password,for,adams) is true, 

changed(permissions,file,passwd) is true, 

checked(permissions,file,passwd) is true, 

investigated(user,password,dog) is true, 

)cnown( insecure, pas sword, for, adams) is true, 
known(in8ocure,pas8word,for,farmer) is true, 
known(insecure,pa8sword, for,grahaun) is true, 
known(insecure,pas8word,for,smith) is true, 
mail(adams,root,5709,bad(cd,bin)) is true, 
mail(brown,root,5455,bad(cd,bin)) is true, 
mail(dog,root,4906,bad(bb,tom)) is true, 
mail(graham,root,8266,bad(cd,bin)) is true, 
mail(jones,root,5435,bad(cd,bin)) is true, 

maiKroot,root,3974,Captain Flash strikes again!!!!) is true, 
found(file,cd,on,backup,tape) is true, 
found(file,Is,on,backup,tape) is true, 

compared(file,cd,for,Trojan Horse,with,cd,on,backup,tape) is true, 
and compared(file,Is,for,Trojan Horse,with,Is,on,backup,tape) is true. 
Select an action: find file bb on backup tape 
You chose to find file bb on backup tape. 

OK. 

************ Those facts are now true: *••♦**•♦***** 

password root is changed, 
user dog is confronted, 
password dog is examined. 
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password cracker is executed, 

backup tape is loaded, 

backup tape is located, 

changed(password,for,adams) is true, 

chemgedCpermissions,file,pas8wd) is true, 

cheeked(permiasions,file,passwd) is true, 

investigated(user,password,dog) is true, 

)cnown( insecure, pas sword, for, adams) is true, 
known(insecure,pas8word,for,farmer) is true, 
known(insecure,password,for,graham) is true, 
known(insecure,password,for,smith) is true, 
mail(adams,root,5709,bad(cd,bin)) is true, 
mail(brown,root,5455,bad(cd,bin)) is true, 
mail(dog,root,4906,bad(bb,tom)) is true, 
mail(graham,root,8266,bad(cd,bin)) is true, 
mail(jones,root,5435,bad(cd,bin)) is true, 

mail(root,root,3974,Captain Flash strikes again!!!!) is true, 
found(file,bb,on,backup,tape) is true, 
fo\ind(file,cd,on,backup, tape) is true, 
found(file,Is,on,backup,tape) is true, 

cozi^ared(file,cd, for,Trojan Horse,with, cd,on,backup, tape) is true, 
and coii 5 >ared(file,Is,for,Trojan Horse,with,ls,on,bac)cup,tape) is true. 
Select ajL action: restore modified file bb from backup 
You chose to restore modified file bb from backup. 

OK. 

************ These facts are now true: ************* 

password root is chemged, 

user dog is confronted, 

password dog is examined, 

password cracker is executed, 

bac)cup tape is loaded, 

bac)cup tape is located, 

file bb is restored, 

changed(password,for,adams) is true, 
chemged(perzoissions, file,passwd) is true, 
checked(permissions,file,passwd) is true, 
investigated(user,pas8word,dog) is true, 
known(in8ecure,pa8sword,for,adams) is true, 
known(insecure,password,for,farmer) is true, 
known(insecure,password,for,graham) is true, 

)tnown(insecure,pa8sword,for, smith) is true, 
maiKadams,root,5709,bad(cd,bin) ) is true, 
mail(brown,root,5455,bad(cd,bin)) is true, 
mail(dog,root,4906,bad(bb,tom)) is true, 
mail(graham,root,8266,bad(cd,bin)) is true, 
mail(jones,root,5435,bad(cd,bin)) is true, 

mail(root,root,3974,Captain Flash strikes again!!!!) is true, 
found(file,bb,on,bac}cup,tape) is true, 
fo\ind(file,cd,on,backup,tape) is true, 
found(f ile, l8,on,bac]cup,tape) is true, 

compared(file,cd,for,Trojan Horse,with,cd,on,backup,tape) is true, 
and conqpared(file,Is,for,Trojan Hor8e,with,Is,on,backup,tape) is true. 
Select an action: restore modified file cd from backup 
You chose to restore modified file cd from backup. 

OK. 

************ These facts are now true: ************* 

password root is changed, 
user dog is confronted, 
password dog is exeutdned, 
password cracker is executed, 
backup tape is loaded. 
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backup tape ia located, 
file bb ia reatored, 
file cd ia reatored, 
changed(paaaword,for,adama) ia true, 
changed(permi8aion8,file,pas8wd) ia true, 
checked(permi88ion8,file,pasawd) is true, 
investigated(user,password,dog) is true, 
known(inaecure,paaaword,for,adama) is true, 
known(insecure,pa8sword,for,farmer) is true, 

3cnown(insecure,password,for,gr^dlam) ia true, 
known(in8ecure,pa88word,for,smith) is true, 
maiKadams,root,5709,bad(cd,bin)) is true, 
mail(brown,root,5455,bad(cd,bin)) is true, 
mail(dog,root,4906,bad(bb,tom)) is true, 
mail(graham,root,8266,bad(cd,bin)) is true, 
mail(jones,root,5435,bad(cd,bin)) is true, 

mail(root,root,3974,Captain Flash strikes again!! 11 ) is true, 
found(file,bb,on,backup,tape) is true, 
found(file,cd,on,backup,tape) is true, 
found(file,Is,on,backup,tape) is true, 

compared{file,cd,for,Trojan Horse,with,cd,on,backup,tape) is true, 
and coii5)ared(file, la, for,Trojan Horse,with,la,on,backup, tape) is true. 
Select an action: change user password smith 
You chose to change user password smith. 

Not a valid action. 

********** These facts are now true: ************* 
password root is changed, 
user dog is confronted, 
password dog is examined, 
password cracker is executed, 
backup tape is loaded, 
backup tape is located, 
file bb is restored, 
file cd is restored, 
changed(password,for,adams) is true, 
changed(permissions,file,passwd) is true, 
checked(permissions,file,passwd) is true, 
investigated(user,password,dog) is true, 

]cnown(insecure,pas8word, for,adams) is true, 
known(in8ecure,password,for,farmer) is true, 
known (insecure, pas sword, for, gr^alam) is true, 
known (insecure, pas sword, for, smith) is true, 
maiKadams,root,5709,bad(cd,bin) ) is true, 
mail(brown,root,5455,bad(cd,bin)) is true, 
maiKdog,root,4906,bad(bb,tom) ) is true, 
mail(graham,root,8266,bad{cd,bin)) is true, 
maiKjones,root,5435,bad(cd,bin) ) is true, 

mail(root,root,3974,Captain Flash strikes again!!!!) is true, 
found(file,bb,on,backup,tape) is true, 
found(f ile, cd,on,bac)aip, tape) is true, 
fo\ind(file,Is,on,backup,tape) is true, 

coinpared{file,cd, for,Trojan Horse,with, cd,on,backup, tape) is true, 
and compared(file,Is,for,Trojan Horse,with,Is,on,backup,tape) is true. 
Select an action: change password for smith 
You chose to change password for smith. 

OK, but a hint: "restore deleted file aa from backup" 
is more in^rtant now than "change password for smith". 

************ facts are now true: ************* 

password root is changed, 
user dog is confronted, 
password dog is examined. 


124 






password cracker is executed, 

backup tape is loaded, 

backup tape is located, 

file bb is restored, 

file cd is restored, 

changed (password, for, adeuos) is true, 

changed(password,for,smith) is true, 

changed(permissions,file,passwd) is true, 

checked(permissions,file,passwd) is true, 

investigated(user,password,dog) is true, 

known(insecure,password,for,adams) is true, 

known(insecure,password,for,farmer) is true, 

)cnown(insecure,password,for,graham) is true, 
known(insecure,password,for,smith) is true, 
mail(adams,root,5709,bad(cd,bin)) is true, 
mail(brown,root,5455,bad(cd,bin)) is true, 
mail(dog,root,4906,bad(bb,tom)) is true, 
maiKgraham,root, 8266,bad(cd,bin)) is true, 
mail(jones,root,5435,bad(cd,bin)) is true, 

mail(root,root,3974,Captain Flash strikes again!!!!) is true, 
found(file,bb,on,backup,tape) is true, 
found(file,cd,on,backup,tape) is true, 
fo\ind(file,Is,on,backup,tape) is true, 

compared(file,cd,for,Trojem Horse,with,cd,on,backup,tape) is true, 
and compared(file,Is,for,Trojan Horse,with,Is,on,backup,tape) is true 
Select an action: find file aa on backup tape 
You chose to find file aa on backup tape. 

OK. 

************ These facts are now true: ************* 

password root is changed, 

user dog is confronted, 

password dog is examined, 

password cracker is executed, 

backup tape is loaded, 

backup tape is located, 

file bb is restored, 

file cd is restored, 

changed(password,for,adams) is true, 
changed(password,for,smith) is true, 
changed(permissions,file,passwd) is true, 
checked(penniesions,file,passwd) is true, 
investigated(user,password,dog) is true, 

3cnown(insecure,password,for,adams) is true, 
known(insecure,password,for,farmer) is true, 
known(insecure,password,for,graham) is true, 
known(insecure,password,for,smith) is true, 
mail (adeuns, root, 5709, bad (cd, bin) ) is true, 
mail(brown,root,5455,bad(cd,bin)) is true, 
mail(dog,root,4906,bad(bb,tom)) is true, 
mail(graham,root,8266,bad(cd,bin)) is true, 
mail(jones,root,5435,bad(cd,bin)) is true, 

mail(root,root,3974,Captain Flash strikes again!!!!) is true, 

found(file,aa,on,backup,tape) is true, 

found(file,bb,on,backup,tape) is true, 

fo\ind(file,cd,on,backup,tape) is true, 

found(file,Is,on,backup,tape) is true, 

comparod(file,cd,for,Trojan Hor8e,with,cd,on,backup,tape) is true, 
and cozi^ared(file. Is, for, Trojan Horse,with,Is,on,backup, tape) is true 
Select an action: restore deleted file aa from backup 
You chose to restore deleted file aa from backup. 

OK. 
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************ ^11^036 facts are now true: ***********a* 

password root is changed, 

user dog is confronted, 

password dog is examined, 

password cracker is executed, 

backup tape is loaded, 

backup tape is located, 

file aa is restored, 

file bb is restored, 

file cd is restored, 

changed (pas sword, for, adaons) is true, 

changed(password,for,smith) is true, 

changed(permissions,file,passwd) is true, 

checked(permissions,file,passwd) is true, 

investigated(user,password,dog) is true, 

known(insecure,password,for,adams) is true, 

known(insecure,password,for,farmer) is true, 

known(insecure,pas8word,for,graham) is true, 

known(insecure,password,for,smith) is true, 

mail (adeuns,root,5709,bad(cd,bin) ) is true, 

mail(brown,root,5455,bad(cd,bin)) is true, 

mail(dog,root,4906,bad(bb,tom)) is true, 

mail(graham,root,8266,bad(cd,bin)) is true, 

mail(jones,root,5435,bad(cd,bin)) is true, 

mail(root,root,3974,Captain Flash strikes again!!!!) is true, 

found(file,aa,on,backup,tape) is true, 

found(file,bb,on,backup,tape) is true, 

found(file,cd,on,backup,tape) is true, 

found(file,Is,on,backup,tape) is true, 

compared(file,cd,for,Troj 2 m Horse,with,cd,on,backup,tape) is true, 
and coir^ared(file,Is,for,Trojan Horse,with,ls,on,bacJaip,tape) is true. 
Select an action; restore deleted file bb from baclcup 
You chose to restore deleted file bb from backup. 

OK. 

************ These facts are now true; ************* 

password root is changed, 

user dog is confronted, 

password dog is examined, 

password cracker is executed, 

backup tape is loaded, 

backup tape is located, 

file aa is restored, 

file bb is restored, 

file cd is restored, 

chzmged(password,for,adams) is true, 

changed(password,for,smith) is true, 

changed(permissions,file,passwd) is true, 

checked(permissions,file,passwd) is true, 

investigated(user,password,dog) is true, 

)cnown(insecure,pas8word, for, adams) is true, 
known(insecure,password,for,farmer) is true, 

)cnown (ins e cure, pas sword, for, grahaun) is true, 
lcnown(insecure,password, for, smith) is true, 
mail(adams,root,5709,bad(cd,bin)) is true, 
mail(brown,root,5455,bad(cd,bin)) is true, 
maiKdog,root,4906,bad(bb,tom) ) is true, 
mail(gr 2 diam,root, 8266 ,bad(cd,bin) ) is true, 
mail(jones,root,5435,bad(cd,bin)) is true, 

mail(root,root,3974,Captain Flash strikes again!!!!) is true, 
foimd(file,aa,on,backup,tape) is true, 
foimd(file,bb,on,bac)cup,tape) is true. 


126 





found(flie,cd,on,backup,tape) is txrue, 
found(file,Is,on,backup,tape) is true, 

compared(file, cd, for,Troj 201 Horse,witb,cd,on,bac)cup,tape) is true, 
and coinpared(file. Is,for,Trojan Borse,with,Is,on,backup, tape) is true. 
Select an action: store backup tape 
You chose to store backup tape. 

OK, but a hint: "change password for farmer" 
is more in 5 )ortant now theoi "store backup tape". 

************ These facts are now true: ************* 

password root is changed, 

user dog is confronted, 

password dog is examined, 

password cracker is executed, 

file aa is restored, 

file bb is restored, 

file cd is restored, 

backup tape is stored, 

changed (pas sword, for, adeuns) is true, 

changed(password,for,smith) is true, 

chemged(permissions,file,passwd) is true, 

checked(permissions,file,passwd) is true, 

investigated(user,password,dog) is true, 

known (insecure, pas sword, for, adams) is true, 

known (insecure, password, for, farmer) is true, 

known (ins e cur e, pas sword, for, gr 2 diam) is true, 

known(insecure,password,for,smith) is true, 

mail(adeuas,root,5709,bad(cd,bin)) is true, 

mail(brown,root,5455,bad(cd,bin)) is true, 

mail(dog,root,4906,bad(bb,tom)) is true, 

mail(graham,root,8266,bad(cd,bin)) is true, 

mail(jones,root,5435,bad(cd,bin)) is true, 

mail(root,root,3974,Captain Flash strikes again!!!!) is true, 

found(file,aa,on,backup,tape) is true, 

found(file,bb,on,backup,tape) is true, 

found(file,cd,on,backup,tape) is true, 

found(file,Is,on,backup,tape) is true, 

coinpared(file, cd, for, Trojan Horse,with, cd,on,backup, tape) is true, 
and coinpared(file. Is, for,Trojan Horse,with,Is,on,backup,tape) is true. 
Select an action: cheoige password for farmer 
You chose to chemge password for farmer. 

OK. 

************ These facts are now true: ************* 

password root is changed, 

user dog is confronted, 

password dog is examined, 

password cracker is executed, 

file aa is restored, 

file bb is restored, 

file cd is restored, 

backup tape is stored, 

changed(password,for,adams) is true, 

changed(password,for,farmer) is true, 

changed(password,for,smith) is true, 

changed(permissions,file,passwd) is true, 

checked(permissions,file,passwd) is true, 

investigated(user,password,dog) is true, 

known(insecure,password,for,adams) is true, 

known(insecure,pa8sword,for,farmer) is true, 

known (ins e cure, pas sword, for, grediam) is true, 

knovm(insecure,password,for,smith) is true, 

mail(adams,root,5709,bad(cd,bin)) is true. 
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mail(brown,root,5455,bad(cd,bin)) is true, 
mail(dog,root,4906,bad(bb,tom)) is true, 
mail(graham,root,8266,bad(cd,bin)) is true, 
mail(jones,root,5435,bad(cd,bin)) is true, 

maiKroot,root,3974,Captain Flash striJces again! ! I 1) is true, 

found(file,aa,on,backup,tape) is true, 

found(file,bb,on,backup,tape) is true, 

found(file,cd,on,backup,tape) is true, 

found(file,Is,on,backup,tape) is true, 

coinpared(file,cd,for,Trojan Horse,with,cd,on,backup,tape) is true, 
and compared(file,Is,for,Trojan Horse,with,Is,on,backup,tape) is true* 
Select an action: change password for graham 
You chose to change password for gr 2 Lham* 

OK. 

Congratulations! You have done the job. 

The session is over. Do "go." to restart. 

yes 

1 7- statistics. 


memory (total) 

2484704 

bytes: 

1331300 in use. 

1153404 

free 

program space 

1200236 

bytes 




global space 

65532 

bytes: 

27348 in use. 

38184 

free 

global stack 



25220 bytes 



trail 



40 bytes 



system 



2088 bytes 



local stack 

65532 

bytes: 

648 in use. 

64884 

free 

local stack 



624 bytes 



system 



24 bytes 



16.017 sec. for 0 

global and 

30 local 

space shifts 




0.234 sec. for 1 garbage collections which collected 992596 bytes 
47.066 sec. runtime 

yes 

1 7 - halt. 
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TAB 4. RUN 3 


The following is the audit file used for Run 4: 


audit(jones,3384ione,’login jones’4ail). 
auditQones,347^one,’login jones’4ail). 
audit0ones,3554ione,’login jones’jfail). 
auditQones,36l4ione,’login jones’4ail). 
audit(jones,363jione,’login jones’4ail). 
auditQones,372jione,’login jones’,fail). 
audit0ones,385^one,’login jones’/ail). 
audit0ones,387^one,’login jones’/ail). 
auditQones,394,none,’login jones’4ail). 
audit(jones,402,none,’login jones’4ail). 
audit(]ones,413^one,’login jones’^ail). 
audit(jones,4264ione,’login jones’,ok). 
auditOones,433jones,’cd-root/bin’,ok). 
audit0ones,451 ,binds,ok). 
auditQones,462,bin,’cd~root’,ok). 
audit(jones,475joot,ls,ok). 

audit(jones,481/oot,’login root’dail). 

audit0ones,4894‘oot,’login root’/ail). 

auditQones,4954'oot,’login root’/ail). 

auditQones,501 joot,’login root’ /ail). 

audit(jones,514 joot,’login root’ ,ok). 

audit(root,5184'OOt,’cd -adains’,ok). 

audit(root,533,adains,’cd~tom/ba’,ok). 

audit(root,537,ba/cd bin’.ok). 

audit(root,537,bin,’cd -evans/csclass’ ,ok). 

audit(root,549,csclass,’cd~root/etc’,ok). 

audit(root,557,etc,’cp passwd -stnith/dont_dareJook_at_this’,ok). 

audit(root,569,etc,’tnail root’,’Captain Flash strikes again!!!!’). 

audit(root,576,etc,logout,ok). 

audit(brown, 1691 ,none,’iogin brown ’ ,ok). 

audit(evans,1693jione,’login evans’,ok). 

audit(brown,1708,brown,’cd -adams’.ok). 

audit(bro wn, 1711 ,adams,’cd ~totn/ba’ ,ok). 

audit(brown,1726,ba,’cd ~root/bin’ ,ok). 

audit(brown,1730,bin,’cd-evans/csclass’,ok). 

audit(brown,1734,csciass,’cd -davis’ ,ok). 

audit(bro wn, 1741 ,davis,’cd -adams/diradams’ ,ok). 

audit(brown,1744,diradams,’cd ~doe’,ok). 

audit(brown,1752,doe,’cd -tom’.ok). 

audit(tom,1843,none,’login tom’.ok). 

audit(toni,1845,tom,’cd ~adams’,ok). 

audit(toni,1859,adanis,’cd ba’,ok). 

audit(toni, 1872,ba,’cd -root/bin’,ok). 

audit(tom,1905,bin,ls,ok). 

audit(toni,2091,bin,’cd -adams’.ok). 

audit(tom,2106,adams,’cd ba’,ok). 

audit(evans,2109,evans,’cd csclass’,ok). 

audit(evans,2109,csclass,logout,ok). 

audit(tom,2126,ba,’cd ~grahani’,ok). 

audit(tom,2160,grahain,ls,ok). 

audit(graham,2171 ,none,’iogin graham ’/ail). 

audit(graham,2172jione,’login graham’.fail). 

audit(graham,2176,none,’login graham’.ok). 

audit(graham,2177,graham,’cd~root/bin’,ok). 


129 


audit(tom^l84,graham,’login graham’,ok). 

audit(graham,2194,bin,ls,fail). 

audit(brown,2212,tom,’emacsbb’,587). 

audit(graham,2213,bin,ls,okX 

audit(graham,2214,bin,’cd -dog’,ok). 

audit(graham,2249,dog,ls,fail). 

audit(graham,2253,graham,’emacsimportant’,10360). 

audit(graham,2255,dog,ls,fail). 

audit(graham,2260,graham,Iogout,ok). 

audit(graham,2273,dog,ls,okX 

audit(graham,2292,dog,’cd~adams’,ok). 

audit(graham,2302,adams,’cd ~tom/ba’.ok). 

audit(graham,2311,ba,’cd -root/bin’,okX 

audit(graham,2321,bin,’cd~tom’,ok). 

audit(fanner,2330,none,’login farmer’,ok). 

audit(graham,2330,tom,ls,ok). 

audit(farmer4340,farmer,’cd ~adams’,ok). 

audit(graham,2342,tom,’cd-adams’,ok). 

audit(farmer,2352,adams,’cd ~smith’,ok). 

audit(graham,2360,adams,’cd~tom/ba’,ok). 

audit(davis,2363jione, ’login davis ’,ok). 

audit(graham,2367,ba,’cd -uri’.ok). 

audit(graham,2376,uri,ls,ok). 

audit(brown,2382,tom,’mailroot’,bad(bb,tom)). 

audit(graham,2382,uri,’cd -adams’,ok). 

audit(brown,2383,tom4ogout,ok). 

audit(fanner,2384,smith,ls,ok). 

audit(graham,2391 ,adams,’cd ~tom’,ok). 

audit{famier,2414,smith,’login smith’,fail). 

audit(famier,2422,smith, ’login smith’,ok). 

audit(graham,2429,tom,’nn *’,ok). 

audit(graham,2439,tom,’mail tom’,’Haha ful’). 

audit(graham,2444,tom,logout,ok). 

audit(smith,2651,smith,’emacs lmpl434’,344). 

audit(davis,2940,davis, ’emacs goodnews’ ,1526). 

audit(davis,2945,davis,logout,ok). 

audit(evans,3046,none,’login evans’.ok). 

audit(evans.3066,evans, ’cd -adams ’ ,ok). 

audit(evans,3075,adams,’cd~tom/ba’,ok). 

audit(evans,3094,ba,’cd -root/bin’,ok). 

audit(evans,3106,bin,’cd-evans/csclass’,ok). 

audit(evans,3115.csclass,’cd -doe’,ok). 

audit(evans,3118,none,’login evans’ ,ok). 

audil(smith,3122,smith,’emacs tmpl435’,362). 

audit(evans,3128,evans,’cd-tom’,ok). 

audit(evans,3136,doe,ls,ok). 

audit(evans,3161 .torn,ls,ok). 

audit(evans,3205,tom4s,ok). 

audit(smith,3237,smith,’emacstmpl436’,405). 

audit(smith,3239,smith,logout,ok). 

audit(evans,3290,doe,ls,fail). 

audit(evans,3328,doe,ls,ok). 

audit(evans,3351 ,tom,’emacs aa’,503). 

audit(evans,3357,tom,logout,ok). 

audit(evans,3475,doe,’emacs bigpaper’,30095). 

audit(evans,3477,doe,logout,ok). 

audit(davis,5712,none,’login davis ’ ,ok). 

audit(davis,6132,davis,’emacs topsecret’,1572). 

audit(davis,6134,davis,logout,ok). 

audil(davis,7336,none,’logindavis’,fail). 

audit(davis,7346,none, ’login davis ’ .fail). 
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audit(davis,7354,none,’login davis’,fail). 
audit(davis,7363,none,’login davis’,fail). 
audit(davis,7364,none,’login davis’,failX 
audit(davis,7371 ,none,’login davis’ .fail). 
audit(davis,7378,none,’login davis’/ail)- 
audit(davis,7387,none,’login davis’.fail). 
audit(davis,7399,none, ’login davis’ .fail). 
audit(davis.7402jione.’login davis’.fail). 
audit(davis.7409.none.’login davis’/ail). 
audit(davis.7417jione.’login davis’,ok). 
audit(davis,7436,davis,sujail). 
audit(davis,7445,davis,sudail). 
audit(davis,7446,davis,sudail). 
audit(davis,7459,davis,su,fail). 
audit(davis,7472,davis,su/ail). 
audit(davis,7488,davis,su,fail). 
audit(davis,7501,davis,sudail). 
audit(davis,7516,davis,su/ail). 
audit(davis,7521 ,davis,su/ail). 
audit(davis,7521 .davis.su.ok). 
audit(davis,7535,davis,’cd -adams’.ok). 
audit(davis,7554,adams4s,ok). 
audit(davis,75744dams,’cd -dog’.ok). 
audit(davis,7606,dog4s,fail). 
audit(davis,7620,dog4s,fail). 
audit(davis,7624,dog4s,fail). 
audit(davis,7638,dog4s,ok). 
audit(davis,7656,dog,’cd~famier’,ok). 
audit(farmer,7665,none,’login farnier’,ok). 
audit(fanner,7678,farmer,’cd -adams’.ok). 
audit(davis,7679/anner4s,ok). 
audit(davis,76854^anner,’cd -adams’.ok). 
audit(davis,7695.adams,’cd -tom/ba’,ok). 
audit(davis,7696,ba,’cd -root/bin’,ok). 
audit(davis,7703,bin,’cd -evans/csclaiss’.ok). 
audit(davis,7706,csclass,’cd-davis’,ok). 
audit(davis,7715,davis,’cd-adams/diradams’,ok). 
audit(farmer,7716,adams,ls,ok). 
audit(davis,7732,diradams,’cd -graham’.ok). 
audit(davis,7763.graham ,ls,ok). 
audit(davis,7779,graham,’cd -adams’.ok). 
audit(davis,7797,adams,’cd-tom/ba’,ok). 
audit(davis,7799,ba,’cd -root/bin’,ok). 
audit(davis,7808,bin,’cd -evans/csclass’.ok). 
audit(davis,7820,csciass,’cd -root’.ok). 
audit(davis,7823joot,ls,ok). 
audit(davis,7827joot,’cd-adams’.ok). 
audit(farmer,7877,adams,ls,ok). 
audit(fanner,7883,adams,’login adams’.ok). 
audit(adams.7886,adams,’cd -adams’.ok). 
audit(adams,7896,adams,’cd-tomA)a’,ok). 
audit(adams,7911 .ba.’cd -adams/diradams’ ,ok). 
audit(davis,7936.adams,’cat auxa’.ok). 
audil(davis,8071.adams.’cat auxb’.ok). 
audit(davis, 81824 idams,’cat auxc’.ok). 
audit(davis,8217.adams,’cat dirad^s’.ok). 
audil(davis,82294dams,’cd -graham’.ok). 
audit(davis,8247.graham,’cat important’.ok). 
audit(davis,8254.graham.’cd -farmer’ .ok). 
audit(adams,8260,diradams.’emacs auxb’.l 134). 
audit(davis,8445jFarmer.’cat secrets’ .ok). 
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audit(davis,8447,farmer,logout,ok). 
audit(adams,8519,dirad^s,’emacs auxc’^ 118). 
audil(adams,8520,diradams4ogout,ok). 
audit(jones,9008jione, ’login Jones ’ /ail). 
auditQones,9015jione,’login jones’/ail). 
auditQones,9019,none, ’login Jones ’ .fail). 
auditQones,9032,none,’login Jones’/ail). 
audit()ones,9{)43 jione, ’login Jones’,ok). 
auditQones,9049jones,su,fail). 
auditQones,9058jones,su,fail). 
auditQones,9069jones,su,fail). 
auditQones,9085Jones,su,fail). 
audit(jones,9090jones,su .fail). 
auditOones.9107jones.su/ail). 
audit(Jones.9115.Jones.su.fail). 
audit0ones.9123jones.su,fail). 
audit0ones,9133jones,su,fail). 
audit0ones,9149jones,su,ok). 
audit0ones,9163jones,’cd~adams’,ok). 
audit0ones,9165.adains,’cd ~root/bin ’ ,ok). 
auditOones,9190,bin,ls,ok). 
auditOones,9200,bin,’cd -adams’.ok). 
auditOones,9203,adanis,’cd -root’.ok). 
audit0ones,9218 j-oot,ls,ok). 
audit0ones,9228a'oot,’cd~adanis’,ok). 
auditOones,92404dams,’cd ~root/bin ’ ,ok). 
audit0ones,9441 .bin.’emacs cd’ ,5109). 
auditOones,9560,bin,’emacs ls’.2133). 
audit0ones,9776,bin,’emacsplease_run_me’.22914). 
audit0ones,9781 ,bin,logout,ok). 
audit0ones,9789,bin, ’login Jones ’ ,ok). 
auditOones,9808.Jones, ’cd ~root/bin ’ ,ok). 
auditOones,10393,bin,’eniacs please_run_me’,22914). 
auditOones, 10401,bin,logout,ok). 


The following is the script of Run 4: 


Script started on Wed Mar 15 22:56:06 1995 
.alias: No such file or directory. 

[7mai2:/users/work4/schiavo/The8i8/Tutor>>[n^rolog 


Quintus Prolog Release 3.1.1 (Sun-*4, SunOS 4.0) 

Copyright (C) 1990, Quintus Corporation. All rights reserved. 

2100 Geng Road, Palo Alto, California U.S.A. (415) 813-3800 

i 7- [intruder]. 

% compiling file /tnp_mnt/users/work4/8chiavo/Thesis/Tutor/intruder.pi 
% compiling file /tnp_mnt/u8er8/work4/8chiavo/Thesi8/Tutor/metutor30.pi 
% Undefined procedures will just fall ('fail' option) 

% loading file /usr/local/q3.1.l/generic/qplib3.1. 1 /library/random.qof 
Se. foreign file /usr/local/q3.1.l/generic/qplib3.1.l/library/«un4-4/libpl. so loaded 
% random.qof loaded, 0.133 sec 9,392 bytes 
% module r^m.dom imported into user 

* Clauses for writefact/2 are not together in the source file 
% metutor30.pl conpiled in module user, 3.000 sec 50,420 bytes 
% compiling file /tmp^mnt/users/work4/schiavo/Thesis/Tutor/modrowe? 

% modrowe? compiled in module user, 0.684 sec 15,720 bytes 

% compiling file /tnp_mnt/users/work4/schiavo/Thesis/Tutor/filetree 
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% filetree compiled in module user, 0.434 sec 5,296 bytes 
% compiling file /tmp_mnt/users/work4/8ch.iavo/Th.esis/Tutor/rules 

* Clauses for beh.avior/5 are not together in the source file 

* Clauses for behavior/4 are not together in the source file 

% rules compiled in module user, 0.617 sec 7,456 bytes 

% compiling file /tnp_innt/user8/work4/8chiavo/The8i8/Tutor/rowefiles 
% rowefiles compiled in module user, 0.117 sec 4,256 bytes 
% conpiling file /tmp_mnt/users/work4/8chiavo/The8is/Tutor/operators 

* Clauses for recoinmended/3 are not together in the source file 

* Clauses for recozniQended/2 are not together in the source file 

* Clauses for addpostcondition/2 are not together in the source file 
% operators compiled in module user, 0.600 sec 6,348 bytes 

% intruder.pl compiled in module user, 6.350 sec 102,384 bytes 

yes 

I 7- statistics. 


lory (total) 

649696 bytes: 

466020 in use. 

183676 free 

program space 

334956 bytes 



global space 

65532 bytes: 

26688 in use. 

38844 free 

global stack 


24584 bytes 


trail 


16 bytes 


system 


2088 bytes 


local stack 

65532 bytes: 

440 in use. 

65092 free 

local stack 


416 bytes 


system 


24 bytes 



0.000 sec. for 0 global and 3 local space shifts 

0.000 sec. for 0 garbage collections which collected 0 bytes 

6.633 sec. runtime 

yes 

1 7- start. 


AUDIT FILE 

The following displays the current contents of the audit file: 


Name 

Time 

Path 

Command 

adams 

7886 

adams 

cd -adeuos 

adams 

7896 

adams 

cd -tom/ba 

adams 

7911 

ba cd 

-adauns /diradams 

adams 

8260 

diradeuns 

emacs auxb 

adams 

8519 

diradeuQs 

emacs auxc 

adams 

8520 

diradams 

logout 

brown 

1691 

none 

login brown 

brown 

1708 

brown 

cd -adams 

brown 

1711 

adams 

cd -tom/ba 

brown 

1726 

ba 

cd -root/bin 

brown 

1730 

bin cd 

-evems/csclass 

brown 

1734 

csclass 

cd -davis 

brown 

1741 

davis cd -adams/diradeuns 

brown 

1744 

diradams 

cd -doe 

brown 

1752 

doe 

cd -tom 

brown 

2212 

tom 

emacs bb 


Result 

ok 

ok 

ok 

1134 

5118 

ok 

ok 

ok 

ok 

ok 

ok 

ok 

ok 

ok 

ok 

587 
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brovm 

2382 

tom 

mail root 

bad (bb, tom) 

brown 

2383 

tom 

logout 

ok 

davis 

2363 

none 

login davis 

ok 

davis 

2940 

davis 

emacs goodnews 

1526 

davis 

2945 

davis 

logout 

ok 

davis 

5712 

none 

login davis 

ok 

davis 

6132 

davis 

emacs topsecret 

1572 

davis 

6134 

davis 

logout 

ok 

davis 

7336 

none 

login davis 

fail 

davis 

7346 

none 

login davis 

fail 

davis 

7354 

none 

login davis 

fail 

davis 

7363 

none 

login davis 

fail 

davis 

7364 

none 

login davis 

fail 

davis 

7371 

none 

login davis 

fail 

davis 

7378 

none 

login davis 

fail 

davis 

7387 

none 

login davis 

fail 

davis 

7399 

none 

login davis 

fail 

davis 

7402 

none 

login davis 

fail 

davis 

7409 

none 

login davis 

fail 

davis 

7417 

none 

login davis 

ok 

davis 

7436 

davis 

su 

fail 

davis 

7445 

davis 

su 

fail 

davis 

7446 

davis 

su 

fail 

davis 

7459 

davis 

su 

fail 

davis 

7472 

davis 

su 

fail 

davis 

7488 

davis 

su 

fail 

davis 

7501 

davis 

su 

fail 

davis 

7516 

davis 

su 

fail 

davis 

7521 

davis 

su 

fail 

davis 

7521 

davis 

su 

ok 

davis 

7535 

davis 

cd -adams 

ok 

davis 

7554 

adeuns 

Is 

ok 

davis 

7574 

adams 

cd -dog 

ok 

davis 

7606 

dog 

Is 

fail 

davis 

7620 

dog 

Is 

fail 

davis 

7624 

dog 

Is 

fail 

davis 

7638 

dog 

Is 

ok 

davis 

7656 

dog 

cd -farmer 

ok 

davis 

7679 

farmer 

Is 

ok 

davis 

7685 

farmer 

cd -adams 

ok 

davis 

7695 

adams 

cd -tom/ba 

ok 

davis 

7696 

ba 

cd -root/bin 

ok 

davis 

7703 

bin cd 

-evans/csclass 

ok 

davis 

7706 

csclass 

cd -davis 

ok 

davis 

7715 

davis cd '-adams/dir adams 

ok 

davis 

7732 

diradeuxis 

cd -grediam 

ok 

davis 

7763 

graham 

Is 

ok 

davis 

7779 

graham 

cd -adams 

ok 

davis 

7797 

adams 

cd -tom/ba 

ok 

davis 

7799 

ba 

cd -root/bin 

ok 

davis 

7808 

bin cd 

-evans/csclass 

ok 

davis 

7820 

csclass 

cd -root 

ok 

davis 

7823 

root 

Is 

ok 

davis 

7827 

root 

cd -adams 

ok 

davis 

7936 

adams 

cat auxa 

ok 

davis 

8071 

adeuns 

cat auxb 

ok 

davis 

8182 

adams 

cat auxc 

ok 

davis 

8217 

adams 

cat diradeuQs 

ok 

davis 

8229 

adams 

cd -graham 

ok 

davis 

8247 

graheun 

cat important 

ok 

davis 

8254 

graham 

cd -farmer 

ok 
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da vis 

8445 

farmer 

cat secrets 

ok 

davis 

8447 

farmer 

logout 

ok 

evans 

1693 

none 

login evans 

ok 

evans 

2109 

csclass 

logout 

ok 

evems 

2109 

evans 

cd csclass 

ok 

evans 

3046 

none 

login evans 

ok 

evans 

3066 

evans 

cd «»adams 

ok 

evans 

3075 

adams 

cd *tom/ba 

ok 

evans 

3094 

ba 

cd -root/bin 

ok 

evans 

3106 

bin 

cd -evans/csclass 

ok 

evans 

3115 

csclass 

cd -doe 

ok 

evans 

3118 

none 

login evans 

ok 

ev2m8 

3128 

evans 

cd -tom 

ok 

evans 

3136 

doe 

Is 

ok 

evans 

3161 

tom 

Is 

ok 

evans 

3205 

tom 

Is 

ok 

evans 

3290 

doe 

Is 

fail 

eveois 

3328 

doe 

Is 

ok 

ev2m.s 

3351 

tom 

emacs aa 

503 

evans 

3357 

tom 

logout 

ok 

evems 

3475 

doe 

emacs bigpaper 

30095 

evems 

3477 

doe 

logout 

ok 

farmer 

2330 

none 

login farmer 

ok 

farmer 

2340 

farmer 

cd -adeuns 

ok 

farmer 

2352 

adeuns 

cd -smith 

ok 

farmer 

2384 

smith 

Is 

ok 

farmer 

2414 

smith 

login smith 

fail 

farmer 

2422 

smith 

login smith 

ok 

farmer 

7665 

none 

login farmer 

ok 

farmer 

7678 

farmer 

cd -adernis 

ok 

farmer 

7716 

adams 

Is 

ok 

farmer 

7877 

adams 

Is 

ok 

farmer 

7883 

adams 

login adeuns 

ok 

graham 

2171 

none 

login grahaua 

fail 

graham 

2172 

none 

login grediam 

fail 

graham 

2176 

none 

login graham 

ok 

graham 

2177 

graham 

cd -root/bin 

ok 

grahemi 

2194 

bin 

Is 

fail 

graham 

2213 

bin 

Is 

ok 

graham 

2214 

bin 

cd -dog 

ok 

gredieon 

2249 

dog 

Is 

fail 

graham 

2253 

graham 

emacs in^ortant 

10360 

graham 

2255 

dog 

Is 

fail 

graham 

2260 

graham 

logout 

ok 

graham 

2273 

dog 

Is 

ok 

graham 

2292 

dog 

cd -adams 

ok 

grah2an 

2302 

adams 

cd -tom/ba 

ok 

grediam 

2311 

ba 

cd -root/bin 

ok 

gredieim 

2321 

bin 

cd -tom 

ok 

grediam 

2330 

tom 

Is 

ok 

grah2uii 

2342 

tom 

cd -adams 

ok 

graham 

2360 

adams 

cd -tom/ba 

ok 

graham 

2367 

ba 

cd -uri 

ok 

grediam 

2376 

uri 

Is 

ok 

graham 

2382 

uri 

cd -adams 

ok 

graheun 

2391 

adams 

cd -tom 

ok 

graham 

2429 

tom 

rm * 

ok 

graham 

2439 

tom 

mail tom 

Hedia ful 

graham 

2444 

tom 

logout 

ok 

jones 

338 

none 

login jones 

fail 

jones 

347 

none 

login jones 

fail 
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jones 

355 

none 

login jones 

fail 

jones 

361 

none 

login jones 

fail 

jones 

363 

none 

login jones 

fail 

jones 

372 

none 

login jones 

fail 

jones 

385 

none 

login jones 

fail 

jones 

387 

none 

login jones 

fail 

jones 

394 

none 

login jones 

fail 

jones 

402 

none 

login jones 

fail 

jones 

413 

none 

login jones 

fail 

jones 

426 

none 

login jones 

ok 

jones 

433 

jones 

cd -root/bin 

ok 

jones 

451 

bin 

Is 

ok 

jones 

462 

bin 

cd -root 

ok 

jones 

475 

root 

Is 

ok 

jones 

481 

root 

login root 

fail 

jones 

489 

root 

login root 

fail 

jones 

495 

root 

login root 

fail 

jones 

501 

root 

login root 

fail 

jones 

514 

root 

login root 

ok 

jones 

9008 

none 

login jones 

fail 

jones 

9015 

none 

login jones 

fail 

jones 

9019 

none 

login jones 

fail 

jones 

9032 

none 

login jones 

fail 

jones 

9043 

none 

login jones 

ok 

jones 

9049 

jones 

811 

fail 

jones 

9058 

jones 

8U 

fail 

jones 

9069 

jones 

SU 

fail 

jones 

9085 

jones 

SU 

fail 

jones 

9090 

jones 

SU 

fail 

jones 

9107 

jones 

SU 

fail 

jones 

9115 

jones 

SU 

fail 

jones 

9123 

jones 

SU 

fail 

jones 

9133 

jones 

SU 

fail 

jones 

9149 

jones 

SU 

ok 

jones 

9163 

jones 

cd -adams 

ok 

jones 

9165 

ad^uIls 

cd -root/bin 

ok 

jones 

9190 

bin 

Is 

ok 

jones 

9200 

bin 

cd -adams 

ok 

jones 

9203 

adams 

cd -root 

ok 

jones 

9218 

root 

Is 

ok 

jones 

9228 

root 

cd -adams 

ok 

jones 

9240 

ademis 

cd -root/bin 

ok 

jones 

9441 

bin 

emacs cd 

5109 

jones 

9560 

bin 

emacs Is 

2133 

jones 

9776 

bin emacs 

p 1 e a 8 e_run_me 

22914 

jones 

9781 

bin 

logout 

ok 

jones 

9789 

bin 

login jones 

ok 

jones 

9808 

jones 

cd -root/bin 

ok 

jones 

10393 

bin emacs 

p 1 e a 8 e_run_me 

22914 

jones 

10401 

bin 

logout 

ok 

root 

518 

root 

cd -adeans 

ok 

root 

533 

adams 

cd -tom/ba 

ok 

root 

537 

ba 

cd bin 

ok 

root 

537 

bin cd '>evans/c8clas8 

ok 

root 

549 

csclass 

cd -root/etc 

ok 

root 

5S7 

etccp passwd -smith/dont^dare. 

_look_at_thi8 ok 

root 

569 

etc 

mail root 

Captain Flash strikes 

root 

576 

etc 

logout 

ok 

smith 

2651 

smith 

emacs tnipl434 

344 

smith 

3122 

smith 

eioacs tir5>1435 

362 

smith 

3237 

smith 

emacs tmpl436 

405 
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smith 

3239 

smith 

logout 

ok 

tom 

1843 

none 

login tom 

ok 

tom 

1845 

tom 

cd '•adeuns 

ok 

tom 

1859 

adeuns 

cd ba 

ok 

tom 

1872 

ba 

cd -root/bin 

ok 

tom 

1905 

bin 

Is 

ok 

tom 

2091 

bin 

cd -ad 2 uns 

ok 

tom 

2106 

adams 

cd ba 

ok 

tom 

2126 

ba 

cd -graham 

ok 

tom 

2160 

grah 2 un 

Is 

ok 

tom 

2184 

graham 

login graheun 

ok 


MAIL RECBIVBD * 

* 

The following displays mail received by root: * 


From 

To 

Time 

Problem (File, Directory) 

brown 

root 

2382 

bad(bb, tom) 

root 

root 

569 

Captain Flash strikes again!!!! 


% Undefined procedures will 
Warnings: 


just fail ('fail' option) 

changed(password,root) 
confronted(user,_12 821) 
examined (pas sword, __127 5 5) 
executed(password,cracker) 
investigated(pa88Word,_12734) 
changed(password,for,_12692) 
changed(permis8ions,file,_12864) 
restored(password,for,_12800) 
issued(new,password,to,_1277 8) 


bac)cup tape is stored emd password cracker is executed. 
Wait a moment while I analyze the problem thoroughly. 


This 

fact 

is 

not 

removable: 

This 

fact 

is 

not 

removable: 

This 

fact 

is 

not 

removable: 

This 

fact 

is 

not 

remov 2 d>le: 

This 

fact 

is 

not 

removable: 

This 

fact 

is 

not 

removed>le: 

This 

fact 

is 

not 

reznoveible: 

This 

fact 

is 

not 

removable: 

This 

fact 

is 

not 

removedale: 

Your 

objectives: 



* To see a list of possible actions, type the letter "h" or the word * 

* "help," To review the audit file or your mail at anytime, type the * 

* word "auditfile" or "mail" respectively. * 


Type h for help. 

************ These facts are now true: ************* 

backup tape is stored, 

mail(brown,root,2382,bad(bb,tom)) is true, 

and mail(root,root,569,Captain Flash strikes again!!!!) is true. 
Select an action: check permissions file passwd 
You chose to check permissions file passwd. 

OK. 

************ These facts are now true: *"*****♦♦»♦** 
bac)cup tape is stored, 

checked(permissions,file,passwd) is true. 
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mail(brown,root,2382,bad(bb,tom)) is true, 

and maiKroot,root,569,Captain Flash strikes again!!!*) is true. 

Select an action; change permissions passwd 
You chose to change permissions passwd. 

Not a valid action. 

************ These facts are now true: ************* 
backup tape is stored, 

checked(permissions,file,passwd) is true, 
maiKbrown,root,2382,bad(bb, tom) ) is true, 

and mail(root,root,5 6 9,Captain Flash strikes again!!!!) is true. 

Select an action: change permissions file passwd 
You chose to change permissions file passwd. 

OK. 

************ ijlilege facts are now true: ************* 

backup tape is stored, 

changed(permissions,file,passwd) is true, 

checked(permissions,file,passwd) is true, 

mail(brown,root,2382,bad(bb,tom)) is true, 

and mail(root,root,569,Captain Flash strikes again!!!!) is true. 

Select an action: change root password 
You chose to change root password. 

OK. 

************ facts are now true; ************* 

password root is changed, 

backup tape is stored, 

changed(permissions,file,passwd) is true, 

checked(permissions,file,passwd) is true, 

mail(brown,root,2382,bad(bb,tom)) is true, 

and mail (root,root, 569, Captain Flash strikes again!!!!) is true. 

Select an action: confront user davis 
You chose to confront user davis. 

OK, but a hint: "compare file cd for Trojem Horse with cd on backup tape" 
is more inqportant now than "confront user davis". 

************ Ti^egg facts are now true: ************* 

password root is changed, 

user davis is confronted, 

backup tape is stored, 

changed(permissions,file,passwd) is true, 

checked(permissions,file,passwd) is true, 

mail(brown,root,2382,bad(bb,tom)) is true, 

and mail(root,root,569,Captain Flash strikes again!!!!) is true. 

Select an action: locate backup tape 
You chose to locate backup tape. 

OK. 

************ ^J^ggg factS UOW tTUB I ************* 

password root is changed, 

user davis is confronted, 

backup tape is located, 

changed(permissions,file,passwd) is true, 

checked(permission8,file,passwd) is true, 

mail(brown,root,2382,bad(bb,tom)) is true, 

and mail(root,root,569,Captain Flash strikes again!!!!) is true. 

Select an action: load backup tape 
You chose to load backup tape. 

OK. 

************ These facts are now true: ************* 

password root is chzmged, 

user davis is confronted, 

backup tape is loaded, 

backup tape is located, 

changed(permissions,file,passwd) is true. 
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checked (permissions, file,passwd) is tme, 
mail(brown,root,2382,bad(bb,tom)) is true, 

and mail(root,root,569,Captain Flash strikes again!!!!) is true. 

Select an action: find file cd on backup tape 
You chose to find file cd on backup tape. 

OK. 

************ These facts are now true: ************* 

password root is changed, 

user davis is confronted, 

backup tape is loaded, 

backup tape is located, 

ch2m.ged(permissions, file,passwd) is true, 
checked(permissions,file,passwd) is true, 
mail(brown,root,2382,bad(bb,tom)) is true, 

mail(root,root,569,Captain Flash strikes again!!!!) is true, 
and fo\ind(file,cd,on,backup,tape) is true. 

Select an action: con^are file cd for Trojan Horse with cd on backup tape 
You chose to con^are file cd for Trojan Horse with cd on bac]cup tape. 

OK. 

************ These facts are now true: ************* 

password root is changed, 

user davis is confronted, 

backup tape is loaded, 

backup tape is located, 

changed(permissions,file,passwd) is true, 
checked(permissions,file,passwd) is true, 
mail(brown,root,2382,bad(bb,tom)) is true, 

mail(root,root,569,Captain Flash strikes again!!!!) is true, 
found(file,cd,on,backup,tape) is true, 

and compared(file,cd,for,Trojan Hor8e,with,cd,on,backup,tape) is true. 
Select an action: find file Is on backup tape 
You chose to find file Is on bac)cup tape. 

OK. 

************ These facts are now true: ************* 

password root is changed, 

user davis is confronted, 

backup tape is loaded, 

backup tape is located, 

changed(permissions,file,passwd) is true, 

checked(permissions,file,passwd) is true, 

mail(brown,root,2382,bad(bb,tom)) is true, 

mail(root,root,569,Captain Flash strikes again!!!!) is true, 
found(file,cd,on,backup,tape) is true, 
found(file,Is,on,backup,tape) is true, 

and con^ared(file,cd,for,Trojan Hor8e,with,cd,on,backup,tape) is true. 
Select an action: conpare file Is for Trojan Horse with Is on bac)cup tape 
You chose to con 5 >are file Is for Trojim Horse with Is on backup tape. 

OK. 

************ These facts are now true: ************* 

password root is changed, 
user davis is confronted, 
backup tape is loaded, 
bac)aip tape is located, 

changed(permissions,file,passwd) is true, 
checked(permissions,file,passwd) is true, 
mail(brown,root,2382,bad(bb,tom)) is true, 

mail(root,root,569,Captain Flash strikes again!!!!) is true, 
found(file,cd,on,backup,tape) is true, 
found(file,Is,on,backup,tape) is true, 

compared (file, cd, for, Trojan Hor8e,with, cd,on,bac)cup, tape) is true, 
and compared(file,Is,for,Trojan Horse,with,Is,on,backup,tape) is true. 
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Select an action: find file bb on backup tape 
You cbose to find file bb on backup tape. 

Have you confused that with the find file aa on backup tape action? 
OK, but a hint: "restore deleted file aa from backup" 
is more important now than "restore deleted file bb from backup". 
************ These facts are now true: *****^*****ii* 
password root is changed, 
user davis is confronted, 
backup tape is loaded, 
backup tape is located, 
changed(permissions,file,passwd) is true, 
checked(permissions,file,passwd) is true, 
maiKbrown, root,2382,bad(bb, tom) ) is true, 

mail(root,root,569,Captain Flash strikes again!!!!) is true, 
found(file,bb,on,backup,tape) is true, 
found(file,cd,on,backup,tape) is true, 
found(file,Is,on,backup,tape) is true, 

compared(file,cd,for,Trojan Horse,with,cd,on,backup,tape) is true, 
and coir^ared(file,Is,for,Trojan Horse,with,Is,on,backup,tape) is true. 
Select an action: find file aa on backup tape 
You chose to find file aa on backup tape. 

OK, 

************ These facts are now true: ************* 

password root is changed, 

user davis is confronted, 

backup tape is loaded, 

backup tape is located, 

changed(permissions,file,passwd) is true, 

checked(permissions,file,passwd) is true, 

mail(brown,root,2382,bad(bb,tom)) is true, 

mail(root,root,569,Captain Flash strikes again!!!!) is true, 

found(file,aa,on,backup,tape) is true, 

found(file,bb,on,backup,tape) is true, 

found(file,cd,on,backup,tape) is true, 

found(file,Is,on,backup,tape) is true, 

compared(file,cd,for,Trojan Horse,with,cd,on,backup,tape) is true, 
and compared(file,Is,for,Trojan Horse,with,Is,on,backup,tape) is true. 
Select an action: restore deleted file aa from backup 
You chose to restore deleted file aa from backup, 

OK. 

************ Those facts are now true: ************* 

password root is changed, 

user davis is confronted, 

backup tape is loaded, 

backup tape is located, 

file aa is restored, 

changed(permissions,file,passwd) is true, 
checked(permissions,file,passwd) is true, 
maiKbrown,root,2382,bad(bb,tom) ) is true, 

mail(root,root,569,Captain Flash strikes again!!!!) is true, 
found(file,aa,on,backup,tape) is true, 
found(file,bb,on,backup,tape) is true, 
found(file,cd,on,backup,tape) is true, 
found(file,Is,on,backup,tape) is true, 

compared(file,cd,for,Trojan Horse,with,cd,on,backup,tape) is true, 
and coiipared(file,Is,for,Trojan Horse,with,Is,on,backup,tape) is true. 
Select an action: restore deleted file bb from backup 
You chose to restore deleted file bb from backup. 

OK. 

************ facts are now true: ************* 

password root is changed. 
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user davis is confronted, 
backup tape is loaded, 
backup tape is located, 
file aa is restored, 
file bb is restored, 

ch 2 aiged(permissions,file,passwd) is true, 
checked(permissions,file,passwd) is true, 
mail(brown,root,2382,bad(bb,tom)) is true, 

mail(root,root,569,Captain Flash strikes again!!!!) is true, 

found(file,aa,on,backup,tape) is true, 

found(file,bb,on,backup,tape) is true, 

found(file,cd,on,backup,tape) is true, 

found(file,Is,on,backup,tape) is true, 

compared(file,cd,for,Trojan Horse,with,cd,on,backup,tape) is true, 
and compared(file,l8,for,TrojeLn Horse,with,Is,on,backup,tape) is true. 
Select an action: store backup tape 
You chose to store bac]cap tape. 

OK, but a hint: "execute password cracker" 
is more important now th 2 m "store backup tape". 

************ These facts are now true: ************* 

password root is changed, 

user davis is confronted, 

file aa is restored, 

file bb is restored, 

backup tape is stored, 

ch 2 Lnged (permissions, file, pas swd) is true, 
checked(permissions,file,passwd) is true, 
mail(brown,root,2382,bad(bb,tom)) is true, 

mail(root,root,569,Captain Flash strikes again!!!!) is true, 

found(file,aa,on,backup,tape) is true, 

found(file,bb,on,backup,tape) is true, 

found(file,cd,on,backup,tape) is true, 

found(file,Is,on,backup,tape) is true, 

compared(file,cd,for,Troj 2 m. Horse,with,cd,on,backup,tape) is true, 
and compared(file,Is,for,Trojan Horse,with,Is,on,backup,tape) is true. 
Select an action: execute password cracker 
You chose to execute password cracker. 

OK. 


************ These facts are now true: ************* 

password root is changed, 

user davis is confronted, 

password cracker is executed, 

file aa is restored, 

file bb is restored, 

backup tape is stored, 

changed(permissions,file,passwd) is true, 
checked(permissions,file,passwd) is true, 
known(in8ecure,password,for,_434196) is true, 
known(insecure,password,for,_434203) is true, 

)axown(insecure,password,for,_434210) is true, 
known(insecure,password,for,_434217) is true, 
mail(brown,root,2382,bad(bb,tom)) is true, 

mail(root,root,569,Captain Flash strikes again!!!!) is true, 

found(file,aa,on,bac)cup,tape) is true, 

found(file,bb,on,backup,tape) is true, 

found(file,cd,on,backup,tape) is true, 

found(file,Is,on,backup,tape) is true, 

cotr^ared(f ile, cd, for,Trojan Horse,with,cd,on,backup, tape) is true, 
and coii^ared(file. Is, for,Trojan Horse,with. Is,on,backup,tape) is true. 
Select an action: change password for adams 
You chose to change password for adeuos. 
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OK. 

************ These facts are now true: ************* 

password root is changed, 

user davis is confronted, 

password cracker is executed, 

file aa is restored, 

file bb is restored, 

backup tape is stored, 

changed(password,for,adams) is true, 

changed(permissions,file,pas 8 wd) is true, 

checkod(pornii 8 sions,file,pas 8 wd) is true, 

known(insecuro,pas 8 word,for,adams) is true, 

known(insecure,password,for,farmer) is true, 

known(insecure,password,for,graham) is true, 

)cnown(insecure,password, for, smith) is true, 
maiKbrown,root,2382,bad(bb,tom)) is true, 

mail(root,root,569,Captain Flash strikes again!!]!) is true, 

found(file,aa,on,backup,tape) is true, 

found(file,bb,on,backup,tape) is true, 

found(file,cd,on,backup,tape) is true, 

found(file,Is,on,backup,tape) is true, 

corr^ared(file,cd,for,Trojan Hor 8 e,with,cd,on,backup,tape) is true, 
and compared(file,Is,for,Trojan Horse,with,Is,on,backup,tape) is true. 
Select an action: chamge password for farmer 
You chose to change password for farmer. 

OK. 

*********** facts are now true: ************* 

password root is changed, 
user davis is confronted, 
password cracker is executed, 
file aa is restored, 
file bb is restored, 
backup tape is stored, 
changed(password,for,adams) is true, 
changed(password,for,farmer) is true, 
changed(permissions,file,passwd) is true, 
checked(permissions,file,passwd) is true, 
known(insecure,password,for,adams) is true, 
known(in 8 ecure,pas 8 Word,for,farmer) is true, 

)uiown(insecure,password,for,graham) is true, 

known(insecure,pas 8 word,for,smith) is true, 

mail(brown,root,2382,bad(bb,tom)) is true, 

mail(root,root,569,Captain Flash strikes again!!!!) is true, 

fo\ind(file,aa,on,backup,tape) is true, 

found(file,bb,on,backup,tape) is true, 

found(file,cd,on,backup,tape) is true, 

found(file,Is,on,backup,tape) is true, 

con®)ared(file,cd, for,Trojan Horse,with,cd,on,bac)cup, tape) is true, 
and con5)ared(file,Is,for,Trojan Horse,with,ls,on,backup,tape) is true. 
Select an action: change password for graham 
You chose to change password for graham. 

OK. 

************ ^^030 f^Q ^3 0 i ;'0 now true: ************* 

password root is changed, 

user davis is confronted, 

password cracker is executed, 

file aa is restored, 

file bb is restored, 

backup tape is stored, 

changed(password,for,adams) is true, 

changed(password,for,farmer) is true. 
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changed(password/for,graham) is true, 

changed(permissions,file,passwd) is true, 

checked(permissions,file,passwd) is true, 

known(insecure,pas8word,for,adams) is true, 

knowndnsecure,password, for, farmer) is true, 

known (insecure, pas sword, f or, gr 2 Qxam) is true, 

known(insecure,password,for,smith) is true, 

mail(brown,root,2382,bad(bb,tom)) is true, 

mail(root,root,569,Captain Flash strikes again!!!!) is true, 

found(file,aa,on,backup,tape) is true, 

fo\md(file,bb,on,backup,tape) is true, 

found(file,cd,on,backup,tape) is true, 

found(file,Is,on,backup,tape) is true, 

compared(file,cd,for,Troj 2 m Horse,with,cd,on,backup,tape) is true, 
and conpared(file,Is,for,Trojan Horse,with,Is,on,backup,tape) is true. 
Select an action: change password for smith 
You chose to ch 2 mge password for smith. 

OK. 

Congratulations! You have done the job. 

The session is over. Do "go." to restart. 

yes 

I 7- statistics. 


memory (total) 

2222560 

bytes: 

1043272 in use. 

1179288 

free 

program space 

912208 

bytes 




global space 

65532 

bytes: 

28472 in use. 

37060 

free 

global stack 



26344 bytes 



trail 



40 bytes 



system 



2088 bytes 



local stack 

65532 

bytes: 

648 in use. 

64884 

free 

local stack 



624 bytes 



system 



24 bytes 



17.000 sec, for 0 

global and 

26 local 

space shifts 




0.000 sec. for 0 garbage collections which collected 0 bytes 
33.583 sec. runtime 


I 7- halt. 
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